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ABSTRACT 


Access control of computing systems is considered a Key issue among 
Information Systems managers. There are different methods available to 
computing systems to ensure a proper authentication of auser. Authentication 
mechanisms can use simple user-generated passwords to complicated 
combinations of passwords and physical characteristics of the user (i.e., voice 
recognition device, retina scanner, signature recognition device, etc.). 

This thesis looks at the various authentication mechanisms available toa 
security manager. It describes how different authentication mechanisms 
Operate and the advantages and disadvantages associated with each 
mechanism. It also reports on several commercially available software products 
that support the user authentication process. Finally, a discussion of 
password use in the military environment and the unique requirements of the 


Department of Defense. 
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i. INTRODUCTION 


The proliferation of computer technology has' bred 
opportunities for ill-intentioned individuals to violate the 
integrity and validity of computer-based information systems 
(ls) At the same time, a growing dependence on computer- 
based information systems creates an urgent need to collect 
information and render it accessible. (Zviran and Haga, 1990a) 

The developments ita @ computers and communications 
technologies in the last two decades has made most 
organizations susceptible to misuse or abuse of computer-based 
information systems. While information systems can provide an 
improvement in an organization's functioning and enhance its 
services, they can also expose that organization to greater 
risks as they become more dependent on information resources. 
Recent surveys of top IS management issues indicate that 
security is considered a top concern (Brancheau and Wetherbe, 
1987; Dickson et al, 1983). Therefore, the amount of 
information security that an organization requires to protect 
its computing facilities and information resources is a key 
management issue (Wilson et al., 1990). 

Peis eltevedyenar onl yiavour Joe percent: Of Computer 
crime ever comes to the attention of law enforcement agencies 


(Carroll). 1987) According to recent studies, American 


businesses lose $3-5 billion each year in computer fraud 
(ews, 2967 2. In England, a report issued by the Audit 
Commission indicates that companies are still ignoring the 
threat posed by poor computer security (Lauchlan, 1991). This 
report recounts that 40% of all breaches of security reported 
involve compUlter fraud (Lavichran, l391)-. 

Access control ensures that unauthorized users do not gain 
entry into a computer system, as well as preventing a 
legitimate user from performing a function inside the system 
that he/she is not allowed to do (Wood, 1983). An IS manager 
can approach access control with external and internal 
methods. External mechanisms include such methods as making 
Physical access difficult by use of guards, locks, or some 
type of token (Ahituv et ai., 1987). Internal controls are 
aimed to prevent unauthorized tampering with data. These 
controls are designed to prevent users from accessing segments 
of memory to which they are prohibited. While access control 
is one way of providing internal security and control, there 
are other specific approaches that can be used in conjunction 
with access controls to prevent an unintended intruder 
(Denning and Denning, 1979). 

The focus of this thesis is to survey the various user 
authentication mechanisms for improving computer security. 
Chapter II is8 an overview of user authentication and a 
description of authentication mechanisms and their importance. 


Chapters III and IV deal with traditional and advanced 


password mechanisms respectively. These chapters describe the 
characteristics of user-generated passwords, machine-generated 
passwords, passphrases, authentication by word association, 
cognitive passwords, and authentication servers and discuss 
their advantages and limitations. Chapter V is an evaluation 
of traditional password and advanced password mechanisms. 
@napteer Vil discusses current password use >in. practice. 
Alternative authentication mechanisms are discussed in Chapter 
VII, to include automatic call-back procedures, authentication 
servers, token and smart card use, and information on 
biometrics. Chapter VIII includes a discussions on password 
encryption and the use of various commercially available 
software products that can assist an IS security manager in 
strengthening an organization's authentication procedures. 
Finally, Chapter IX deals with password use in the military. 
This chapter focuses on National Security Agency (NSA) 
guidelines for password use, as well as similarities and 


differences between civilian and military applications. 


II. USER AUTHENTICATION OVERVIEW 


A. AUTHENTICATION OVERVIEW 

User identification is the process by which an individual 
identifies himself or herself to a computer-based information 
system as a valid user. User Authentication is the procedure 
by which a user establishes that he or she is indeed that 
user, and has the right to use the system or portions of it. 
A simple authentication system can effectively prevent the 
casual prowler from poring through the system. (Hutt, 1988) 

Most operating systems have applied stringent security 
measures to lock out illegal users before they can access 
system resources. User authentication mechanisms are an 
important ingredient in these security schemes. 

Authentication mechanisms are divided into three 
categories: 


What they Know, such as a password or an encryption key 


What they possess, such as a token or a capability 


Something about you, such aS a picture or a fingerprint 
(Wood, 1983; Spender, 1987; Weiss, 1990) 


Authentication usually operates in the following manner: 
a user enters some piece of identification, such aS a name or 
an assigned user-ID. This identification can be available to 


the public (e.g., when it also serves as the user's e-mail 


identification) or easy to guess (e.g., a user's first name). 
Thus, it does not provide security for the system. To 
authenticate a user, the system requests further information 
(e.g., a password). If the authentication information matches 
that on file for the user, the user is granted access to the 
system. A mismatch leads to a denial of access (Wood, 1983). 
Use of ATMs is an example of a combination of something a user 
has (a plastic card) and something a user Knows: the Personal 


Identification Number (PIN), which serves as a password. 


B. AUTHENTICATION MECHANISMS 

Several authentication mechanisms are available to 
computer users. The most common mechanism used today is a 
password. Traditional password mechanisms fall into two 
categories: user-generated or system-generated. More advanced 
password schemes include passphrases, associative passwords, 
cognitive passwords and authentication servers. Alternative 
authentication mechanisms include automatic call-back 
procedures, authentication servers, tokens and smart cards, 
and biometric devices. 

Some authentication procedures are purposely slow. 
However, while it is not inconvenient for a legitimate user if 
Ghe authentication procedure takes 5 to 10 seconds, a brute 
force attack on a system that requires 5 or 10 seconds per 
attempt makes this class of attack generally infeasible. 


(Pfleeger, 1989) 


There are other ways to discourage unauthorized users. If 
someone fails to log-in after several attempts, it is common 
for the system to disconnect, forcing a user to reestablish a 
connection with the system. This method will slow down a 
penetrator from attacking the system. 

In a more secure environment, stopping a penetrator may be 
more important than tolerating users' mistakes. In such cases 
a system may limit password entries to three tries, assuming 
that legitimate users can type their passwords correctly 
within three tries. After a third successive password 
failure, the account is disabled, and can only be reenabled by 
the security administrator. This action, while inconvenient 
due to denial of services, may help in identifying accounts 
that may be the target of attacks by penetrations. 

The underlying assumption in password authentication 
assumes that only a user to whom the password belongs knows 
it. However, passwords can be guessed, deduced, or inferred. 
One method of uncovering a users password is to simply ask 
him/her “for 1c. Other passwords have been obtained by 
watching a user typing in his/her password. This causes flaws 
in the authentication process. (Menkus, 1988) 

Advanced password mechanisms help eliminate the way an 
intruder can obtain a password. By requiring more than a 
Single password, advanced authentication mechanisms provide a 


level of security that is desirable to many IS organizations. 


In addition to passwords, there are several alternative 
mechanisms available to assist user authentication. These 
include tokens, smart cards and biometric devices such as 
handprint detectors, voice recognizers, and identifiers of 
patterns in the retina. Although expensive and in some cases 
still experimental, these devices are useful in very high 
security situations. (Wilson, 1987) 

The next chapters discusses the various authentication 
mechanisms, providing definitions, examples, and analysis of 


their advantages and disadvantages. 


III. TRADITIONAL PASSWORD MECHANISMS 


A. PASSWORD OVERVIEW 

A basic access control routine in any computer cpemgaged 
system is to @E6NSWbe) Propels erwauenenti cartier: The mest 
commonly used authentication method is the password. 
Developers ot password access control packages have used an 
analogy of a fence or wall protecting a valued physical asset. 
Once a user has presented the correct password, he or she 
essentially passes over this logical fence and gains access to 
the information system (Wood, 1987). In a large number of 
computer systems, passwords are the first line of defense 
against unauthorized persons trying to gain access to computer 
resources. Sometimes it might be the only line of defense. 
As such it is imperative that this defense be as formidable as 
possible (Wood, 1983). 

Passwords are formally defined as "any sequence of 
letters, numbers, special symbols, or control symbols,...non- 
printing, that are used to authenticate a computer user's 
identity". (Riddle et al., 1989) 

In some cases a user chooses a password, while in others 
a password 1s assigned by the system. The compositicgnmece: 
passwords varies from system to system. “~Phe eftectivencsaman 


a password is dependent on the balance to be struck between 


the ease with which it can be remembered and the difficulty 
with which it can be guessed by an unauthorized party. In 
theory, the only person who should know the user's password is 
the user. (Riddle et al., 1989) 

Passwords are considered to be of limited usefulness as 
protection devices because of the relatively small number of 
Baes Of Inftormation they contain. However, despite horror 
stories associated with password use, researchers say that 
passwords can provide ample security if managed and handled 
properly. (Betts, 1985) 

An underlying goal of password security is to cause 
minimum inconvenience to users. As the first line of defense, 
a password security system should prevent unauthorized entries 
as well as preventing authorized users from engaging in 
unauthorized activities. (Morris and Thompson, 1979; Jobusch 
and Oldehoeft, 1989; Riddle et al., 1989) 

Passwords should be hard to guess and hard to determine 
exhaustively. A fundamental dilemma of password selection is 
that easily remembered passwords are easy to guess; the hard- 
to-remember passwords get written down and therefore can be 
misused or stolen. (Highland, 1990) 

In the case of an occasionally mistype of passwords, a 
user should receive a message of INCORRECT LOG-IN at which 
point the log-in procedure should be repeated to gain access 
to the system. Even the worst typist should be able to log-in 


successfully in three to five attempts. (Menkus, 1988) 


Operating systems often encourage users to change their 
passwords regularly. Password aging, or the enforcement of a 
maximum password lifetime is one method of automatically 
forcing users to change their passwords. Such mechanisms can 
typically enforce a minimum and maximum amount of time between 
password changes. The regularity of password change is 
usually a system parameter, which can be changed for a given 
installation. 


While password aging may seem like a good idea, many argue 


that it is counter-productive. Users do not like to change 
passwords; systems requiring them to do so may cause 
frustration. Mechanisms that do not warn of an upcoming 


expiration of the password can actually decrease security, as 
such a mechanism may suddenly demand that a new password be 
set. Such practices will probably not result in the best 
password choice, and most likely will be written down as well. 
Systems supporting minimum lifetimes can actually stop users 
from changing their passwords. Minimum lifetimes are 
primarily used to keep users from "cheating" the aging system, 
by changing to a temporary password, and then back to the old 
one (Jobusch and Oldehoeft, 1989). 

Changes should be made periodically, depending on the 


security classification of the information to which @eney 


afford access. Passwords to special control information 
Should be used once only. Passwords to confidential 
information should be changed daily. Passwords to private 


E18) 


information should be changed weekly. Other passwords can be 
changed as desired, but this should be done no less frequently 
than once every six months. (Carroll, 1987) 

Auditing, when used with password mechanisms, is used to 
record events that occur during authentication attempts. 
Information collected by auditing software includes: 

successful log-in and log-out information 

unsuccessful log-in information 

successful password changes 

unsuccessful password changes 


number of currently active sessions. (Jebuscn. -and 
Oldehoeft, 1989) 


Using this information provides a method of detecting a 
perpetrator using a stolen account, asS well as attempted 
breakins. Audit information can also be used to deactivate a 
port or a username if a high rate of authentication failure is 
detected. (Jobusch and Oldehoeft, 1989) 

Monitoring of a password system should not be left to 
those times when Serious violation occurs. Even though this 
Operation might be repetitive and boring, it is essential to 


maintaining security. (Highland, 1990) 


B. USER-GENERATED PASSWORDS 
Since a password has to be remembered, people tend to pick 


Simple passwords (Pfleeger, 1989). If a user iS picking a 


ab 


password, he or she is probably not choosing a word completely 
at random. Most likely a user's password is something 
meaningful to him or her. People typically choose personal 
passwords, such as the name of a spouse, a child, a brother or 
sister, a pet, a street name, or something similar. 

It would be easy to select a password by picking two short 
words and separating them by punctuation, digits or control 
characters. Here are a few examples: 

rae! oSver= Ie 
DOOrthoy, 
out#sick, 
home*run 
Digoe- Mac. 

Another route to strong passwords is to select a common 
and easily remembered phrase, eliminating the spaces between 
words and truncating after the required number of characters. 
Here are some examples: "He is a dud" becomes "heisadud, " 
"Peter Piper" becomes "peterpip," and "floppy disk" becomes 
YEVGppY oe ke = 

Foreign languages also work very well as passwords. For 
example, try "thank you" or some other phrase in the foreign 


language. Or truncate a translation as necessary. (Highland, 


1390) 
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Practical guidelines regarding password selection include: 


Use more then A-Z. When using A-Z, there are only 26 





pessibilities per character. Adding digits expands the 
number of possibilities per character to 36. Using both 
upper and lower case letters plus digits expands the 
number of possibilities per character to 62. 


Choose long passwords. The combinatorial explosion of 
passwords begins at length 4 or 5. Choosing 6-character 
or longer passwords makes it less likely that a password 
will be uncovered. 


pod aGullal Tames Ol words: Theoretically there are 


abou 200). lliem>-"words”” | (iwe? Vany. combination of 
characters) of length 6, but there are only about 150,000 
Words in -a~qood "Collegiate drvecionary,, ignoring length. 








Choose an unlikely password. In order to remember the 


password easily, you want one that has special meaning. 
However, you don't want someone else to be able to guess 
this special meaning. 


Change the password regularly. Even if there is no reason 
to suspect that the password has been compromised, change 


is advised. 
Den C/write 1 down . 


Den’ t= -tell anvone. (Pitleeger, 1989) 


User-generated passwords are popular because they are 
conceptually Simple, relatively inexpensive, easy to 
administer, and user friendly. (Wood, 1990) 

Disadvantages of user-generated passwords are many. 
First, if a user makes the password as secure as possible, he 
Or she cends to write 1c down so .as noe. to forget it. By 
doing so a user is leaving it open to compromise. Second, if 


a user does not put effort into selecting a password by 


choosing a familiar name or trivial association it makes it 


BES: 


easy for an intruder to Piguremome: Third, even if a good 
password is chosen, if a user keys it in slowly or allows 
someone to watch as it is keyed in, it is then subject to 
compromise. And finally, there are many ways for an intruder 
to untold an operating system in order to find the password 
table and decipher it or use some method to capture the 


password. (Ahituv et al., 1987) 


C. MACHINE-GENERATED PASSWORDS 

A password generator is a program that creates strings to 
be used tor machine-generated passwords. Such programs are 
made available on systems in an effort to ensure "good" 
password choices. How to design a password generator that 
produces passwords that are both difficult to guess and easy 
for a user to remember is not immediately apparent. While it 
is easy to generate random strings to be used as passwords, 
they most likely will not be easy for a user to remember. 
Also, password generators that are not sufficiently random in 
the method in which they select passwords may be limited in 
the number of passwords they can generate. (Jobusch and 
Oldehoeft, 1989) 

A password generator that can produce pronounceable 


passwords is desirable, as these passwords are more likely to 


be remembered than a random string of characters. Such a 
System depends on a set of rules that "define" what 
pronounceable means. A sample set of rules may include: 


14 


a consonant must be followed by a vowel ot any type 


a vowel may be followed by a vowel of a different type, or 
by a consonant 


never have more than two consecutive vowels of any type. 
(Jobusch and Oldehoefty, 1969) 


Typically, a random number generator is used to select 
random letters or groups of letters that are considered 
pronounceable. These groups of letters are then linked 
together to form the password. While the resulting "word" may 
not be recognizable, it should be pronounceable in the way it 
is constructed. (Jobusch and Oldehoeft, 1989) 

Machine-generated passwords are attractive because they 
can ensure that passwords are relatively strong (Wood, 1990). 
It is far easier to maintain control over password selection 
in a system wherein passwords are machine-generated and 
assigned to users than one in which users may select their own 
passwords (Highland, 1990). 

Unfortunately, the disadvantage is that such passwords are 
difficult for a user to remember and because of that they run 
amgmeater risk of compromise (Highland, 1990; Wood,°.1990). 
Maes Gditrficulty leads to two problems. First, a user who 
forgets his or her password must bother the system manager for 
a new one. Secondly, one important security dictum says, 
“Never write down your password." In machine-generated 
password systems there is no effective way of keeping users 


Poon Violating “he dictum (Highland ,- 1990; Wood, 1990). 


Lo 


Machine-generated passwords are also problematic because 
the results of some pseudo-random number generators used to 
produce them are readily reproducible by an informed opponent 
who has access to the algorithm employed. To make matters 
worse, in an attempt to generate pronounceable words, many 
machine-generated password mechanisms significantly reduce the 
number of possible passwords. This reduced pool from which to 
pick machine-generated passwords in turn reduces the required 
effort to guess a valid password. (Wood, 1990; Bishop, 1991) 

Because this fact of human nature, some security directors 
have decided to stop using machine-generated passwords and go 


back to user-selected ones (Highland, 1990). 


D. PROBLEMS WITH TRADITIONAL PASSWORDS 

There are several problems associated with traditional 
password mechanisms. First, passwords can be intercepted at 
the point of entry. With most systems the password is not 
displayed as it is entered, so an interceptor must watch your 
fingers as opposed to the screen (Betts, 1985). Even by 
watching your fingers, if the interceptor can not get all the 
Characters he maybe able to pickup the pattern for entry. 
Even such information as left-right-right-shiftt-lett-nuneo, 
would substantially reduce the possible passwords to try 
(Avarne, 1988). 

second, passwords are in the clear from the moment they 


are entered until the moment they are accepted by the host 
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computer. Therefore, if someone has tapped into the 
communication line in a network, they can intercept a user's 
password. Tricking novice users with false log-in programs 
that steal passwords is another way of abusing insecure 
communication lines. Such. “programs » pPOINnt "Out — ancotner 
transmission concern: how do users know if they are really 
communicating with the host? Outside of using secure and/or 
encrypted communication lines, the insecure transmission of 
password information can be a serious weakness in any password 
mechanism. (Jobusch et al.,;, 1989) 

Traditional passwords discussed in this chapter have three 
fundamental weakness. They are: 

They can often be guessed. 

They are entered in the clear. 


They are used more than once. (Avarne, 1988) 


All of these problems occur because a traditional password 
is static. Frequent change of passwords are desirable. To 
foil these kinds of attacks, the password has to be changed 
almost immediately after it is used. Few human users can 
handle so frequent password changes and so only change 


passwords when required by the system. (Pfleeger, 1989) 


i 


The password schemes examined in the next chapter try to 
alleviate these weaknesses. Chapter IV deals with more 
advanced schemes for password security including passphrases 
and question and answer schemes. Question and answer schemes 


include word association and cognitive passwords. 


re 


IV. ADVANCED SCHEMES FOR PASSWORD SECURITY 


Advanced password security schemes are more than just a 
string of several alpha-numeric characters. They may include 
a series of questions and answers or may be a passphrase that 
a user must recall in order for the authentication process to 
be completed. Figure 2. depicts the various types of advanced 
password schemes. 

The advantage of an advanced scheme is it can provide 
better security for computer systems than traditional password 


schemes (Smith, 1987; Zviran and Haga, 1990b). 


ADVANCED PASSWORD SCHEMES | 
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Figure 2. Advanced Password Schemes 
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A. PASSPHRASES 

A passphrase is one form of authentication that is just a 
longer version of a password. It involves arbitrary selection 
of easily remembered, but very likely to be meaningless, three 
or tour word phrase from previously defined lists of 
adjectives, nouns, verbs and such. An example of a passphrase 
might» -be- "big Ginls -crinkawine.: A passphrase is used as 
though it were a single password. (Menkus, 1988) 

When users select their own passwords, they are more 
likely to remember them, but chosen passwords can often be 
easily guessed. Thus, if passwords are generated with the use 
of a pseudo-random number generator that include both letters, 
humbers, and control characters, they are considerably more 
secure, although unpopular with users. Passphrases then seem 
to be a relatively attractive compromise between ease-of-use 
and high security. (Wood, 1983) 

Passphrases are easily to remember because they are user 
selected and are more than just as random collection of 
characters. But there are problems associated with 
passphrases. Even though a user may recall the passphrase 
without writing it down, a frequent user may become upset at 
the prospect of typing such a long string of characters every 
time they desire to use the system (Porter, 1982). Therefore 
systems should not require a minimum password length that is 
unreasonably long. Passphrases may in fact be an inadequate 


means of authentication for frequent users (too long) but can 
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prove useful to those who experience long intervals between 
pog=onS 

Another problem with passphrases is the same as with 
simple passwords, passphrases may need to be checked for 
mravidlity: choices like “mary had a little lamb” will most 


likely be guessed (Porter, 1982; Jobusch et al., 1989). 


B. WORD ASSOCIATION 

Nhe “pracciedgl meced of Computer Security 1s to ,1dentity 
users quickly and reliably by some process which does not 
handicap effective computer use. For that purpose a test is 
needed with several characteristics. The test must elicit 
individualistic responses from different users, so it can 
identify any particular user quickly. The test should be 
based on easily remembered material, so that it imposes little 
memory burden ona user and can be reliably administered. And 
ideally the test, by its nature, should elicit user interest 
and cooperation rather than resentment. The key to meeting 
these requirements is to devise a test that enlists the 
cooperation of users themselves. (Smith, 1987) 

One promising approach for verifying user identity would 
be a question and answer test called word association. But it 
must be a personalized test whose contents are specified by 
each individual user, rather than one general test applied by 
the computer to all users. Word association can be unique to 


eal sindividual, tf they are chosen for that purpose (1.6. 
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avoiding such common associations as "black-white"). Word 
association could be quite strong, and if chosen carefully 
could be remembered without particular effort. And if each 
user is permitted to specify his/her own association, there 
would be very little user resistance expected to this kind of 
TeSscing., 

Word association would work in the following manner. At 
initial enrollment anew user is asked to provide the computer 
with a list of 20 cues (words or phrases) along with a 
response that the user associates with each one. The computer 
would store those cue-response association safely away. Then 
on subsequent attempts to access the computer, the computer 
would select a cue at random and challenge the candidate user 
to give the stored response, repeating that process as 
necessary to confirm the user's claimed identity. Depending 
upon the computer assessment of risk a user might be required 
to give one response or several, but presumably not all 20. 
(smith, 1987) 

The cue list would look different for every user. A cue 
list and response list could be generated by a user in less 
then 30 minutes. The critical decision in creating a list is 
to choose a context in which associations are already 
established. Probably most people will find it easier to 
remember associations if they choose single integrating 
context for their entire list, although that is not strictly 


necessary to the process. 


22 


Users should select single word responses for greater 
certainty of memory and for greater ease of entry in response 
to displayed cues. 

Most users have rich associations with people and places, 
and thus it is probable that most spontaneously created cue 
lists would have proper names as their specified responses. 
However, that is not strictly necessary to the process; as a 
response the user could choose any word that he/she is 
reasonably certain to remember. It 18 not necessary that a 
response be "correct" in any sense except that it matches 
whatever response was initially stored for that cue. To pass 
this test, the user does not have to remember the state flower 
of Alaska or any other factual data. Note also that a users 
personal association will not necessarily correspond to 
general stereotypes. (Smith, 1987) 

smith conducted tests six months after users provided a 
list ot cues and responses to test the ease with which word 
association could be remembered. When asked to reproduce 
their cue list most people had problems recalling the list. 
One person could not remember any of the cues. The others 
each managed to remember some, although not with complete 
accuracy. 

These people were then each shown their original cue lists 
and asked to recall the correct responses. They remembered 


almost all responses correctly and with little difficulty, 
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averaging 94 percent correct, indicating persistent strenamn 
of their word associations even after a six-month interval. 

Twelve months later (i.e. 18 months after list creation), 
the same people were tested again. They were first asked to 
recall the cues that they had devised, which they could do 
Wlth only partial success~ They were then asked to recall 
responses to thelr original cue lists, which they could sum 
do with reasonably good accuracy, averaging 86 percent 
Correct. M@smith, Vige7) 

Good recollection of such word association could be 
expected on several grounds. The responses were cued, which 
should aid recall. The material to be remembered was 
generated originally by each individual tested, and self- 
generation is know to aid recall (McFarland et al., 1980; 
Slamecka and Graf, 1978). Most responses reflected personal 
rather than impersonal associations, which also aids recall 
(Rogers et al., 1977). 

Assessing memory after such long periods of disuse 
represents an extreme test. In reality, a user's memory would 
be tested more frequently, perhaps as often as daily or even 
more frequent with certain users. Thus through repeated use 
many users would come to remember the cues as well as the 
responses. On the other hand users need not remember the cues 
for associative testing to work. Certainly a user would not 
need any printed record of his/her cue list, nor any display 


of the entire list except perhaps when changing it. And there 
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would be no need to display for any purpose the stored 
responses that have been specified for cues. 

User may at times forget the proper response to a 
particular cue. If that were to happen, the user presumably 
could authenticate his/her identity by responding correctly to 
several other cues, however many the computer logic might 
impose in the interest of adequate security. 

Authenticated users should be able to change their cue 
lists from time to time, just as they might change a password. 
Thus if a user noticed that a particular association was not 
easily remembered, he/she might choose to change it. Or 
perhaps the computer could keep track of user errors and draw 
a troublesome association to a user's attention for potential 
revision. It is possible that with changing interests a user 


might wish to change a list simply because it has become 


Der ang . 
Considered overall, the potential value oba word 
association for user authentication seems promising. This 


method imposes only modest demands on the user, and it would 
require relatively little computer logic to implement. Simple 
interactive software routines that would accomplish the basic 
functions of initial user enrollment, subsequent cue-response 
exchange for authenticating user identity, and occasional user 
revision of stored cue lists and associated responses would be 
needed. More complex software might be needed for risk 


assessment, flexibly COnurolling the stringency Oba 
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authentication procedures. But a simple matching 10g1¢ swam 
suffice to process the word associations on which user 


authentication is based. (Smith, 1987) 


C. COGNITIVE PASSWORDS 

Cognitive passwords as a security scheme evolved from 
Smith's (1987) work with word association. Instead of 
challenging a user with a single list of word association 
cues, cognitive passwords challenge a user with a set of five 
randomly selected cognitive questions out of a pre-selected 
set of questions and answers (Zviran and Haga, 1990b). 

Cognitive password systems and word association systems 
are similar in that they both ask a user to provide the data 
upon which their passwords are based. The password challenges 
consist of fact-based and opinion-based cognitive data that 
only a user should know. A fact-based question asks a user 
something that the user knows but which is a fact independent 
of any feeling about it. For example, "What is the name of 
the elementary school that you last attended?". An opinion- 
based cognitive item asks for an opinion about something: 
"What is your favorite type of music?" or "What is your 
favorite flower?" 

A cognitive password system will combine both user- 
generated and system-generated characteristics. It is system- 
generated in that the security administrator creates question 


that would be used to generate a response from a user. The 
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exact response to these questions would be entirely user- 
generated. Hence, a cognitive password system is basically an 
access quiz. If the user responds correctly to a series of 
questions concerning him/herself, he/she would then be 
authorized access to the computer system. (Zviran and Haga, 
1990b) 

There are several advantages associated with a cognitive 
password system. First, since the cognitive password is 
Sigmiticant to the user, but not readily associated with him 
@iemiver, it 1S easy fer a User to remember, but difficult tor 
an intruder to guess. Second, the responses may be of such 
length that a brute force attack would be thwarted. A nn ad 
finally, a cognitive password system requires’ several 
questions to be answered correctly, so this layering adds an 
additional degree of security. 

There are also several disadvantages associated with a 
cognitive password system. First, users of the traditional 
password system have a tendency to forget a single password, 
therefore remembering many cognitive passwords would seem to 
be harder for the user. Secondly, it is unlikely that a user 
would remember all of his responses so establishing an 
acceptable miss percentage may be difficult to do. if 2. as 
set to low, an intruder may penetrate the system; if it is set 
to high, authorized users may be denied access. (Haga et al., 


1989) 
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V. EVALUATING PASSWORD MECHANISMS 


Several studies have been conducted to determine the 
memorability of traditional password and advanced password 
mechanisms and their susceptibility to guessing by someone 
close to the user. These studies are discussed in tne 
following section. 

The second section of the chapter discusses empirical 
evaluation of password usage and the composition of those 


passwords. 


A. COMPARISON OF PASSWORD MECHANISMS 

Beedenbender (1990) conducted research into the recall of 
traditional passwords and advanced password schemes. Several 
Gifferent questionnaires were used with the intent either to 
verify information from previous studies or to justify 
conclusions about new areas of study. 

The respondents answered two versions of the original 
questionnaire and a significant other (spouse, close friend or 
family member) completed a second form of the questionnaire. 
The questionnaire asked for the respondent's sex, years of 
computer usage, types of computers with which they were 


experienced and a respondents identifier (i.e., Social 
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Security Number (SSN ):).. The SSN was used to tie ail the 
questionnaires together with the COLnEECE respondent. 
(Beedenbender, 1990) 

The second part of the questionnaire asked the respondents 
to create a password of up to eight alphanumeric characters. 


The test group was asked to memorize and sate guard this 


password. They were then asked how they devised this 
password. The second part of the questionnaire contained a 
unique, eight character, system-generated password. Pie — 


five of the questionnaires had a system-generated random 
alphanumeric password while the other bor cy eign: 
questionnaires had a system-generated pronounceable password. 

The second part of the questionnaire asked the respondents 
to create a passphrase consisting of any combination of up to 
80 alphanumeric characters. There was no minimum requirement 
for the passphrase. The respondents were urged to memorize 
and safeguard this passphrase like any other password. They 
were then asked how they derived this passphrase. 

The questionnaires were identical in their third part. In 
this section, 20 open response questions ask for items of 
information that were described as cognitive passwords. The 
first group consisted of six personal facts assumed known 
only to the respondent or someone socially close to the 
respondent. The second group asked 14 opinion-based questions 


(ee. favorice. fruit, ,lavorite food etc). 
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The final part of the questionnaire requested the 
respondent to come up with a list of 20 word associations. 
The respondents were not required to use a central theme 
throughout nor was there any limitation or minimum number of 
alphanumeric characters in either the cues or responses. The 
respondents were then asked to copy just the cues onto another 
questionnaire to see if a socially close person would be able 
to figure out the responses. (Beedenbender, 1990) 

Three months after the initial questionnaires were 
completed, the respondents were asked to recall the password 
they selected, the system-generated password, and the 
passphrase they supplied. They were also asked the method of 
recall used. 

In the identical version of the cognitive password 
section, the same respondents were asked the same questions 
again. 

In the identical version of the word association section 
the respondents were asked to regenerate their list of 20 cues 
and responses. As soon as the respondents had generated as 
many associations from memory as possible, they were given a 
lust cf Veheir anveral 20> “cues: They were then asked to 
generate as many responses as they remembered. If, ates 
point, they were still unable to remember thelr respenceee 
they were given the central theme, if any, to aid them 


correctly remembering their responses. 
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The final section of the questionnaire requested the 
respondents to rank the various password methods by ease of 
memory. The respondents were then asked to rank the methods 
by how they liked them. 

Another questionnaire was then given to the significant- 
other. The first part of the questionnaire asked for the 
respondents SSN and the relationship of the significant-other 
to the respondent. The second part of the questionnaire 
repeated the 20 cognitive password questions. The 
significant-other was asked to indicate what they thought the 
respondents would answer to each of the questions. They were 
asked to complete the form without help from the respondents. 

The final part of the significant~others questionnaire 
asked them to determine the responses to the cues written down 
by the respondents from the word association portion of the 
initial questionnaire. After attempting to figure out the 
correct responses without aid from the respondent, the 
Significant-other respondent was given a second chance. This 
time the respondent would inform the significant-other if 
there was a central theme to the association and if so, what 
it was. 

In both the cognitive password and word association 
sections it was assumed that if someone socially close to the 
respondent was unable to figure out the correct responses, 
then the chances of an intruder figuring out the responses 


would be slim. 
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Over the three month period only 27.2% of the respondents 
could recall the password that they had created themselves. 
As in previous research studies, this research showed that as 
password length increased it became more difficult to 
remember. (Beedenbender, 1990) 

Similarly only 12.7% of the respondents could recall tiem 
system-generated alphanumeric password. However, the 
respondents assigned a system-generated pronounceable 
password, 37.5% were able to recall it. It should be pointed 
out that not one respondent was able to remember the random 
alphanumeric password on his own. Among those who did recall 
Lt, 8654. 7%,. had weitten i down 

Only 21.4% of the respondents were able to remember their 
passphrases. Most of the respondents, TT tase choose 
passphrases consisting of fewer than the minimum recommended 
thirty characters (Porter, 1982). This did not help thenmera 
recalling their passphrase. 

After the three month period, the respondents recalled an 
average of 74% of their cognitive passwords. Two respondents 
were able to recall all 20. The recall average of the fact- 
based cognitive passwords was 83%. The opinion-based 
cognitive password recall was some what less, only 74.8%. The 


people socially close to the respondents could guess no more 


than an average of 38% of the respondents' cognitive 
passwords. Only a few significant-others could legitimately 
guess more than 10 out of 20 responses. Two significant— 


SA 


@eners COUld) hot Guess Many Of stne 20 responses correctly. 
(Beedenbender, 1990) 

he Guessing Gf Lact—-based cognitive passwords showed the 
Pa? we canta ther able =O COrrectly respond to 442.8% c2 the 
M@iescions while averaging only 322.5% f0r the cpinion=based 
Cognitive passwords. 

Tae MNOtlIeon =hat .pecple more socially chose €¢ tne 
respondents are better guessers than those even slightly 
removed, was tound to be true. The average number of correct 
guesses for famiiy members was 650%, while spouses were 41% and 
friends were 23.5%. (Peedenbender, 1990) 

On average, the respondents recalled 69% or their word 
association. Seven respondents recalled all 20 responses and 
eeemoae a third remembered 90% or more. of thelr responses. 
While there was success at the high end cf the spectrum. 
feere was 2 tairly.unitorm distribution ©: ) respondents 
remembering from 30%-90%. This distribution may be explained 
by the fact that respondents were given a free reign in making 
up their word association. Unlike the cognitive password 
section, in which all the respondents answered the same 
questions, the word associations had various degrees of 
difficulty depending upon how challenging each respondent 
decided to make them. (Beedenbender, 1990) 

Even with the wide variance, the average success rate was 
Over twice that of the user-generated password method. In 


SQONPerVsSOn MWitn Ge he ~overall” Success. rate of cognitive 


passwords, word associations were not as great (69% to 74%). 
However, there were twice as many respondents scoring 90% or 
more correct responses on the word associations than on the 
cognitive passwords. 

The significant—-others, on average, could guess only Zou 
of the correct responses. Seventeen significant-others could 
not guess even one response correctly. A small percentage of 
Significant-others (10.3%) were able to guess ten or mere 
responses correctly. When significant-others knew the central 
theme the success rate improved to 33%. There were still six 
significant-others who could not guess any correct responses. 

Even with the theme, the significant-others failed to 
guess as many correct responses (33% to 38%) as they had in 
the cognitive passwords section. Also, unlike cognitive 
passwords, social closeness made no significant difference in 
the ability of the significant-other to figure outieme 
responses. (Beedenbender, 1990) 

When ranking the various methods as to how easy they were 
to remember, the respondents clearly chose user-generated 
passwords as the one that they thought was easiest. However, 
this method was one of the worst for recall by the 
respondents. Other than this, the rankings generally 
reflected how the respondents actually did in recalling their 
passwords from the different methods. (Beedenbender, 1990) 

In another study, Zviran and Haga (1990) conducted tesee 


of the memorability of cognitive passwords and their 


34 


Susceptibility to guessing by people close to the users. At 
the same time they tested the recall of system-generated 
passwords (random alphanumeric seven-character strings) and 
user-generated passwords. 

The study included the use of three similar versions of a 
self-administered questionnaire. The primary respondents in 
the study, called user-respondents, answered a first 
questionnaire to determine their age, sex, years of computer 
usage, the types of computer which they have used (mainframe, 
stand-alone micro or micro linked to mainframe) and the last 
BeuUredigits of their Social Security Number (SSN). The SSNs 
were used to hide the identity of the respondents while 
allowing for a method of linking future questionnaires 
together. 

The second part of the questionnaire asked the user- 
respondents to create a password of up to eight alphanumeric 
characters. They were urged to memorize and safeguard it like 
any other password. They were then asked how they devised it. 
Finally, in this part of the questionnaire they were assigned 
a system-generated unique seven-character password. These 
passwords were constructed of random combinations of letters 
and numbers. The respondents were asked to memorize and 
safeguard this password as well. 

The third section of the questionnaire asked for twenty 
open-response, cognitive items. T1LS- .afermacaon fre ll into 


two groups. In the first group were six items that asked for 
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personal facts that assume only a respondent or someone 
So¢lally closes co a@respemtent vould Know. For example: 
elementary school attended, first name of favorite uncle, 
first name of best triend in high school, mother's maneen 
name, first name of first boyfriend/girlfriend or ftathermgs 
SecuUpaclon. In the second group were 14 opinion-based items 
that asked each respondent to declare favorites. For example: 
favorite music, favorite color, favorite flower, tavommee 
vegetable and favorite dessert. Again it is assumed that only 
someone close to the respondent would know the responses. 
(Zviran and Haga, 1990D) 

The rirst questionnaires were completed and three months 
later the respondents were given a second questionnaire. This 
questionnaire repeated the same 20 question from the previous 
ORM It also asked the respondents to recall the password 
they created and the system-generated password they were 
assigned. They were then asked if they had recalled the 
passwords from memory or had resorted to writing them down. 

The significant-other version of the questionnaire asked 
tor only two items of identifying data: the last four @igamee 
of the user-respondent's SSN and the relationship of the 
significant-other to the respondent. The remainder of the 
questionnaire repeated the 20 cognitive question from the 
rirst two forms. Each significant-other respondent was asked 
to complete the questionnaire without help from their user- 


respondent friends or spouses. They were asked to guess what 
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he/she thought his or her user-respondent would answer to each 
question. They were also asked to answer only questions that 
they were confident of their responses, leaving blank those 
items where they would have to guess widely. This was done in 
order to see how well the significant-others could guess the 
responses of the user-respondents. Assuming that if people 
who were socially close to the users showed deficient 
knowledge of personal data, then someone who was socially 
distant from the same user would be unlikely to guess 
cognitive passwords. (Zviran and Haga, 1990b) 

The results showed that after the three month interval, 
respondents were better able to recall conventional passwords 
that they created than they were at recalling passwords that 
were assigned to them. A minority of the respondents wrote 
down the self-created passwords while most of them wrote down 
the passwords assigned in order to aid in remembering the 
passwords. 

The average number of correct recalls by the user- 
respondents on all cognitive data questions was 82 percent. 
That equates to 15 to 17 correct responses. Compare the level 
of these responses with responses for the two type of 
conventional passwords recalled over the same period and the 
best response was 35 percent for self-generated passwords. On 
the cognitive data continuum, that equates to only 7 correct 


matches. No respondent scored that low on cognitive data. 


ce 


The significant-other questionnaire showed an accuracy Of 
only 27 percent correct responses of all cognitive 1tems sae. 
correct responses were skewed towards the low end or the 
scale. Only one person was able to guess 10 out of 20 
cognitive questions correctly. Moreover, & comparison of the 
profile or this distribution with that of the user-respomceme. 
showed no overlap between user-respondent responses and 
Signi t 2 cant -oOener vespoensess 

The signiricant-others were able to guess only 37 percent 
on average of fact-based items. It 1s assumed that 
Significant-others would know fact-based items better than 
tney would know opinion-based items. That appears to be true 
Since significant-cthers guessed only a third of opinion-basgeg 
items. Even though they are precisely the people who should 
know better than anyone the personal facts about user- 
respondents. 

Assuming that significant-other are in the best position 
to possess personal knowledge about the user-respondent then 
the accuracy of personal knowledge will decrease it even the 
slightest social distance is introduced. This was proven out 
when the number of correct guesses by spouses were compared to 
correct guesses by friends. The spouses guessed correctly on 
29 percent of the items while the friends guessed correctly on 
only 16 percent of the items. (Zviran and Haga, 1990b) 

Over the three month period, the study showed that the 


recall of cognitive items was noticeably better than the 


Sie, 


recall or either the self-created or assigned passwords. 
Cognitive passwords were recalled 82 percent of the time while 
self-generated and system-generated passwords were recalled 


35% and 23% respectively. 


B. EVALUATION OF PASSWORD USE 

Several studies have been conducted to assess usage 
patterns ot traditional passwords. 

Morris and Thompson (1979) conducted experiments to 
determine typical users' habits in the choice of passwords 
yanems moO COMnStraint 1S, put. on thelr choice. The results are 
Grsappointing. In a collection of 3,289 passwords Morris and 
Thompson found, 15 were single ASCII character; 72 were 
strings of two ASCII characters; 464 were strings of three 
ASCII characters; 477 were strings of four alphamerics; 706 
were five letters, all upper-case or all lower-case; 650 were 
Six letters, all lower-case. An additional 492 passwords 
appeared in various dictionaries, name lists, and the 1ike. 
A total of 2,831 or 86 percent of this sample of passwords 
fell into one of these classes. 

There was overlap between the dictionary results and the 
character string searches. The dictionary search alone, which 
required only five minutes to run, produced about one third of 
the passwords. (Morris and Thompson, 1979) 

In another study conducted in 1987 at Syracuse University 


using the university's timesharing system, 6226 user-selected 
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passwords used to authenticate 7014 computer user identities 
were compared. Researcher found that if left on their own, 
people are lazy about passwords, relying on easy to remember 
passwords such as initials, pronouns, nouns, or mnemonics) gama 
unless forced to, people do not change their passwords on a 
regular basis. People prefer three to five character 
passwords to seven or eight character passwords. Only a small 
number of users seek complex passwords using number and 
letters in all eight positions. Only 15% of the passwords are 
repeated. The majority of passwords are as unique as the 
people who created them. About 30% of all the passwords that 
are user created use a true English word; an additional 10% 
can be assigned a part of speech based on the English word 
found in them. If two- or three-character passwords are 
excluded, about 44% of the passwords use a true English word 
while approximately 60% can be assigned a part of speech. 
(Riddle et al., 1989) 

In a study conducted by Zviran and Haga (1990) of 997 
self-generated passwords they found that 80.1 percent of the 
passwords consisted of alphabetic characters only, 13.7 
percent of alphanumeric characters, 5.5 percent of numeric 
characters, and 0.7 percent of ASCII characters. The average 
number of characters in a password, calculated from the 
password lengths in the study, was six. Thirteen percent of 
the passwords consisted of eight characters, 14 percent of 


seven characters, 25 percent of six characters, 24 percent of 
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erve. scharaccers, 27 percent of four ¢haracters, and. 5.6 
percent of three characters. (Zviran and Haga, 1990) 

One survey, conducted recently at a government agency, 
found that 43% of the agency's 1,500 employees used two- 
Gharacter passwords (probably their initials), and over 25% 
used a single character. Compliance with good practice is no 
better in business. A survey of 50,000 users in several 
private companies revealed that about 20% used single 


character passwords. (Highland, 1990) 
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VI. PASSWORD USE IN PRACTICE 


This chapter will expose a reader to the practice of 
password usage in commonly used computing environments. The 
system access control for three major operating systems on 
mainframes/minicomputers will be discussed (i.e., IBM's MVS, 


DEC's VMS/VAX and Unix). 


A. MULTI-USER OPERATING SYSTEMS 

Security in multi-user operating systems covers three 
areas: system access control, file access control, and audit. 
System access control is concerned with the identification and 
authentication of users when they first establish contact with 
the system. This includes both interactive access through 
terminals along with access through network protocols and 
batch access through jobs. File and database access controls 
are concerned with controlling access to both programs and 
data files by authorized users. Detection of unauthorized 
access attempts and verification of authorized access is 
controlled by the audit function. (Courtney, 1991) 

1. IBM's VMS 

IBM's MVS operating system for the System/370 

mainframes was a successor of the System/360 operating system, 


and was principally designed to support commercial batch 
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processing in a closed environment. Although the first 
version in 1976 already contained the time-sharing option 
(TSO) software, this interactive user interface was still 
dedicated to preparing batch jobs, submitting them and 
inspecting the results of their execution. In fact, TSO was 
subordinate to batch in those days. Owing to the "closed 
shop" characteristics and the emphasis on batch production, 
access control was not one of the major topics during the 
design of those early non-RACF (resource access control 
facility) systems. (Paans, 1991) 
The security mechanisms initially integrated in 

System/370 and MVS were as follows: 

Both the hardware and operating system allowed a 

distinction to be made between authorized system software 

and unauthorized user programs (supervisor vs. problem- 

program mode, key in storage, virtual vs. real storage, 

address spaces, etc.). 

When logging on to TSO the user had to provide a user ID 

and a password. Both were stored in clear text in the 


system library SYS1.UADS. 


The system data set PASSWORD could contain read and/or 
write passwords for data sets. 


For data sets controlled by the virtual storage access 
method (VSAM) it was possible to define passwords which 
were stored in the catalogues. 


An expiration date for a data set could be defined. 
(Paans, 1991) 


Although there are security mechanisms allowing at 
least some control over users, many computing centers do not 


really use them because of lack of interest in security, or 


43 


used them in such a way that they are rendered ineffective. 
(Paans and Bonnes, 1983) 

Initially MVS contained an interface for a security 
package, which was later filled in by RACF. The first versions 
of RACF were designed to allow a gradual move from an 


unprotected environment to a protected environment, and only 


controlled those subjects (persons, users) and objects 
(resources, data sets) explicitly defined. For each subject 
and each objet one had to create an RACF profile describing 


the authorities of the subjects, the access requirements for 
the objects, the relations, etc. In those days security was 
sometimes characterized as "nothing is protected unless 
explicitly specified", especially because many centers did not 
bring all users under RACF control. They were usually 
satisfied when the most important users and resources were 
protected, and allowed the remaining users to work as non-RACF 
users and to access unprotected data sets. (Paans, 1991) 
While the password was first in clear text in the 
system library SYS1.UADS, with RACF it was moved to the RACF 
database and was scrambled via a masking algorithm. Although 
this provided more security, the password still remained in 
clear text in the terminal status block (1SB) im evintuaee 
storage legible to many users, and, moreover, the masking 
algorithm was easy to compromise. Hence the design of TSO was 
improved to remove the clear text password from the TSB, and 


RACF was extended with data encryption standard (DES) for 
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passwords. This was RACF 1.6 in 1984, introduced a one-way 
encryption via DES and so storing encrypted passwords which 
could not be decrypted (Mclellan, 1986; Paans, 1991). 
Moreover the system administrator was now allowed to 

specity rules for password syntax and usage. He now may issue 
the following parameters: 

A list of previous passwords is maintained and the user is 

not allowed to select one of them when specifying a new 

password. 

After a specified number of days a password is marked 

expired and has to be changed by the user during his or 

Mee next 1eg-cn. 

If a user forgets his password and attempts to guess it, 

RACF will revoke (freeze) his userid after he exceeds the 

specified threshold. 

Up to eight syntax rules can be specified for new 

passwords. For each position, one may indicate whether 

alphabetic, alphanumeric, numeric, vowel, non-vowel and 

constant character are allowed. (Paans, 1991) 

RACF at the level 1.6 and higher provides sufficient 

Support to force the users to uSe passwords in a responsible 
and secure way. Keeping in mind that a trivial password such 
as a user ID or the user's Christian name can only be selected 
once, and thereafter has to be followed by at least twenty 
three other passwords. Moreover, forcing the user to insert 
at least one numeric in the password inhibits the use of names 
of persons and brands of cars. And, after all, the hacker has 
only three to five chances to guess the correct combination of 


userid and password. Elementary statistics show that the 


probability of a hit is negligible in such an environment as 
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long as there are reliable procedures for initial passwords 
and password resets. With modern RACF and a security minded 
attitude by those in charge of the system, hackers have no 
realistic chance to breach the security. (Paans, 1991) 
2. DIGITAL EQUIPMENT CORP.'s VAX/VMS 

When DEC released its initial version of VMS in 1978, 
it protected the password file with an encryption algorithm 
called AUTODIN 2 CRC. That algorithm performed a hash on the 
password and then stored the 32-bit hash rather than the 
password itself. (Mclellan, 1986) 

ita became, however, a tempting target her 
cryptanalysts and by 1980, two different methods had been 
discovered to invert the algorithm and decode the password. 

DEC realized that it should not have encrypted the 
password alone, and that 32-bit hash was too short to avoid 
“aliases” (identical encrypted passwords for different users). 
It also realized that the AUTODIN 2 CRC encryption algorithm, 
which executed in 140 microseconds, was too fast, allowing 
brute-force decryption schemes to work. 

After three years of using AUTODIN 2, DEC shifted 
(with VMS version 2) to the so-called Purdy algorithm for 
encrypting its password authorization file in its VMS version 
2. DEC also changed the encryption procedure to use a 64-bit 


hash of the password, plus user's name, plus 16-bit random 
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"salt" that was also stored in the user's User Authorization 
parle. (UAF) record, (Melellan, 1986) 

The mix of these three elements, plus the addition of 
a random salt, meant that any brute-force attack had to target 
each user's password individually--rather than try a 
particular password guess across the entire authorization 
Be he. In addition to making the encrypted pasSword user- 
Specitic, DEC nad--with the Purdy algorithm--shifted to a 
crypto system that was almost 100 times slower than the 
PUmOUOrN 2 CRE. (Melellan,. 1986) 

The Purdy algorithm in a VAX has no "key." It is 
Simply an inherently irreversible mathematical scheme based on 
the difficulty of factoring large numbers--the same class of 
problems at the heart of the widely publicized RSA "public 
key" crypto system. 

DEC exhibited considerable independence in choosing 
the Purdy algorithm over government-approved forms of 
eryptography-—-specifically the Data Encryption Standard (DES) 
algorithm promoted since 1975 by the National Security Agency 
(NSA) and the National Bureau of Standards (NBS). 

By avoiding DES, DEC successfully stepped out of the 
class of code users who were overly dependent on government 
approval. By doing so, DEC escaped the impact of the NSA's 
announcement in 1985 that DES was now so old and too widely 
meed to be trusted any longer. Also, in relying on a-cipner 


that used prime-number factoring as its coding principle, DEC 
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chose a scheme that is actually mathematically similar to the 
crypto devices the NSA 1s now promoting for new, “stronger= 
than-DES”" crypuemsecurityea Mc lewlarneelo86) 

DEC's VMS has achieved a National Security Agency 
(NSA) rating of C2 which provides the capability of defining 
who can and cannot use the system, what they can access, and 
why. It also provides a strong audit capability to eneuige 
control is maintained while retaining the flexibility needed 
in a general purpose operating system. (Candia, 1990) 

DEC's latest release, VMS version 5.4 includes 
additional password controls. For security managers worried 
about sophisticated users bypassing minimum password length 
requirements, the algorithm has been changed. For sites with 
local requirements for password hash algorithms, there is now 
a means of specifying one's own algorithm. (Kilgallen, 1991) 

For most sites, however, the password history and 
password screening features are the most signiticatie 
improvements. By default, VMS will retain a history of hashed 
values of users passwords, and prohibit the user from choosing 
a new password which has been used in the past. There is 
limited amount of space (adjustable by the system manager) for 
storage of old passwords. By default, this will hold several 
years worth of passwords, even if they are changed as often as 
once per month. For the malevolent user who decides to change 


his or her password many times to overflow the space, there 1s 
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no safety. In that event, VMS forces that particular user to 
use a machine-generated password. (Kilgallen, 1991) 

Password screening prevents users from choosing new 
Basswords which are found in>an on-line dictionary of Norer 
American English words. In addition to dictionary screening, 
Wise 5.4 ia!1S0 SUppOrts sSslte-Speclific exits during vcassword 
selection, so that local tests can be made as to the 
Suitability of passwords. This could be used to enforce a 
requirement that all passwords include both letters and 
numbers, or that no password start with the letter A, or any 
Orner restriction. 

It is imperative that security managers ensure that 
the new security features on VMS V5.4 are actually being used. 
At many sites system managers have decided to exempt some or 
all users from the new password requirements. Viewed from the 
security perspective, that 1s ridiculous; but it still 
happens. 

Of course, system managers have the ability to 
override these password restrictions and assign trivial 
passwords to themselves or to certain favored individuals. 
The fact that password restrictions are normally in place does 
not eliminate the need to periodically run password-guessing 


tests against each machine. (Kilgallen, 1991) 
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32. UNDE 

Unix systems make use of a modified version of the DES 
algoritnm. As with IBM systems, Unix systems put a password 
into the DES key port in order to make it a one-way encry~ amas 
system. But as with DEC with the Purdy algorithm, Unix avoids 
both government crypto controls and the inherent risk of being 
part of a large group that is uSing a Standard cages 
algorithm /nettso ay a a) gVewskiek=, target f One hostile 


CryPptanalysts. "1 cle lane oce) 
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features that make Unix machines easy to use can 
also make them vulnerable to attack. Hence, Unix has acquired 
a Feputation for Weak “security Weenstonc 291990] 

The parameters and practices for user IDs and 
passwords set up by the IS staff are the most important 
Criteria for securely running any computer “systen- These 
eontrols are even more critical Uncer Unix. 

in Unix, a user creates an ID, also referred onesie 
open ID or open account, that requires no log-in password. 
Users of open-IDs must be assigned to singie-user workstations 
that have no outside connections. Thus, an open-ID would be 
unacceptable for a multi-user system or a network. (Lonsford, 
1990) 

Two features that can create problems similar to the 
open user ID are the "trusted host" and "trusted user.” From 
the trusted host, ail remote log-ins are accepted withoure. 


password. A trusted user is a single user who is allowed to 
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Neg-ine frome nismwoOn. ner local “system” to another  withourn 
supplying a password. A list of the system's trusted hosts is 
located in the file /etc/hosts.equiv. 

In the home directory of every trusted user is a rile. 
called .rhosts, which lists the systems from which the user 
can log in without a password. Often the user configures each 
account so that he or she may log in from the other hosts 
without a password. Attackers have exploited this by gaining 
access to the user's account on one system, then attempting to 
log-in to the systems named in the .rhosts file. (Lonsford, 
1990) 

Most operating systems, such as IBM's MVS or DEC's 
VAX/VMS with resource access control facility (RACF), have 
split up the various access privileges and allotted them to 
categories. For example, in order to make backups, the 
Operator must have the ability to read any dataset on the 
system. That privilege might be called READALL. The security 
administrator, who sets up the system rules and file 
protections, would have a privilege on his personal account 
called security. Unix, however, has no such distinctions; 
it's all or nothing when it comes to system privileges. 

Unix has only one privileged ID or account, which has 
fie privileges. Jt is common practice at’ Unix sites to share 


this superuser ID, called root, among the system 
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administrators simply by sharing the password. Of cOWeee. 
sharing an ID and password creates an accountability problem. 
(Gomstord,. 1990) 

As a remedy, many Unix systems require the privileged 
user to log into a personal account first, the use the setuser 
command to log in again as root. Thus, the privileged user 
must know two passwords to become root. A byproduct of@igie 
setuser command is an audit record that tracks who logged in 
aS 7 OO c. 

Obviously, these procedures are only good if the users 
who are allowed to sign on as root are trustworthy. A user 
wno can bypass or override such security controls has tne keys 
to the entire system. Any user who is signed on as root, the 
highest level of Unix privilege, can delete the log records on 
all but the most secure systems, This is true, not only of 
Unix, BDuteyMs ~Siys and “other we perat pigs ys cems- 

Once the IS staft have secured user-IDs, they smeutd 
LUD Compas swords Most operating systems provide a way to 
set requirements for passwords. (Lonsford, 1990) 

Unix, however, has no built-in password-screening 
facility. Nor does it have a place to add one easily--leaving 
users to there own choices. Without guidance from 1S meee 
users will pick an easy password and stick with it. 
Fortunately, some new versions of Unix and commercial add-on 
packages, provide password generators that can improve basic 


Unix 1D and password administracrven- 
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Another vulnerabiliity ale Unix's password 
administration is that the file containing user-IDs and 


Basswerds, caitled /jetc/passwd, is publicly readable. Altnouch 


Poe = passwords in <=ne file are -encrypted,. the encryption 
routine is readily accessible. Encrypting a guess at a 
pt-=snord aio comparing i= with those in the password flie is 


Pee tncis Matter. Newer versions cot Unix,” Such Fas “sta 
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Piegrosysvtems ince.°S SunmCsS version 4.0, and AraiT’s System Vv 
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release 2.2 and System V,MLS, nave addressed the problem by 
moving the passwords trom /etc/passwd into a shadow file that 
78s readabiec only by root. ‘Lonsford, 1990) 

Beciding Which files on the sysuem are critical is key 
Zee ce uN ninG ii@Our “cO’-Structure Unix S ) files transfer 
mechanisms anc remote access features. These files should, of 
course, inciude the operating system and configuration files, 
Password file and any shared program files, including both 
source and executable program files. 

Unix provides several features to contro! and monitor 
memoce access. Unix can, for instance, limit remote commands 
menmprevent remote system users from. controlling the central 
system. The exact contro!!ling mechanism depends on the flavor 
Sry Unix in use. Some Unix systems restrict the use of 
commands by specific remote nodes; some have restrictions tnat 
include a!l remote nodes. Regardless of the mechanism, the IS 
stafr snould decide which commands and directories should be 


accessible to remote users or disallow all remote commands. 
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The administrator should also be sure he/she has enabled the 
Unix feature that automatically generates audit trailsmee 
remotely initiated activities, and it should be reviewed 


regularly. (Senstordyeer es) 
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VII. ALTERNATIVE AUTHENTICATION MECHANISMS 


This chapter discusses alternative security techniques to 
traditional and advanced password schemes. Such alternatives 
include hardware features, tokens, smart cards, and biometric 
@evices (See Fig. 3). Several of these methods are used in 


Gonjunction with traditional passwords or PINs. 
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Figure 3. Alternative Authentication Mechanisms 
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A. HARDWARE FEATURES 
1. Automatic Call-back 

One early solution to the end-user authentication 
problem in a network environment was the call-back device 
(Murray, 298s; Gwitsen, 233 or 

With an automatic call-back system, an authorized user 
dials a computer system. After a user identifies himself to 
the system, the computer breaks the communication line by 
hanging wp “Gh “Ene user: It then compares the usenmegagd 
telephone number to an internal list and calls the user back 
at a predetermined number. 

All dial-back accomplishes is to change the telephone 
number the hacker must attack. The effectiveness of the call- 
back system is based on the assumption that it is calling back 
an @€nd=point -of thesmeewari, The problem arises when a PC 
user has left his PC hooked up to his desk telephone in order 
to conduct business from another remote location. To break 
in, all a hacker may need to do is call up that user's office 
telephone and do a logical execution of the PC function keys 
until finding the one which automatically dials Wiaia 
departmental minicomputer. If a user has programmed all 
his/her host sign-on codes into the PC, the hacker performs 
another logical execution ot the function keys, causing the 
MiniComputer Co. aucemMatircal ly Bata We tiee sy ene neste And the 


host, after recognizing the call on one of its call=bagg 
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lines, hangs up and calls the remotely controlled minicomputer 
Sack Murray, 1983; Wilson 1987). 

In a closed network system where the end-points and 
telecommunications paths of the network are known, an 
automatic call-back system can be a useful security device. 
But in today's open network system the automatic call-back 
System as a means of security is limited. (Wilson, 1987) 

2. Authentication Servers 

Working in a network environment poses additional 
threats to security since penetrating a machine may enable a 
Penetrator to compromise other network-connected computers as 
well. Authentication servers are one way of authorizing users 
to all machines on a network. An example of such a mechanism 
is Kerberos, an authentication mechanism for untrusted 
workstations developed at the Massachusetts Institute of 
Meenmology for their Project Athena network of workstations. 
(Jobusch and Oldehoeft, 1989) 

The Kerberos system is a "trusted third-party 
authenticator" meaning the network clients using the system 
trust the server's "judgement as to the identity of each of 
its other network clients to be accurate." The authenticator 
server maintains a database of its network clients and their 
private keys. Using these private keys along with session 


keys generated by the server, tickets identifying network 
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clients are created and used as evidence of authentication. 
Kerberos can be used to authenticate all network services. 

When a user identifies himself as a Kerberos client by 
entering a user name, the user name is sent to the 
authentication server, along with a request for ticket- 
granting service. The authentication server first Wehec oma 
see if it knows about the network client. If so, the 
authentication server generates a random session key to be 
used during communications between the network client and the 
ticket-granting server. The authentication server then 
forwards information on the network client to the ttekerws 
granting server, encrypted with a key known only toa Vehe 
authentication and ticket-granting servers. A copy of Geis 
ticket is then sent to the network client, encrypted in the 
network client's private key which was derived from the user's 
password, Known only by the network client and the 
authentication server. The network client then asks the user 
for the password. The entered password is then used to 
decrypt the response from the authentication server. The 
ticket contained in the response is then the information that 
the metwork client needs in order to request network servreece 

While the Kerberos method is complicated, it achieves 
the primary goal of authenticating untrusted workstations and 
their users. (Jobusch and Oldehoeft, 1989) 

More sophisticated measures than passwords and 


hardware features are needed to control the security problems 
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in this new, open network environment. The solution for the 
commercial environment is a sign-on security mechanism, 
independent of network contiguration, that unequivocally 
identiries the specific authorized user seeking system access. 
This enhanced security can be accomplished using dynamic 
easswerd devices and one-time password devices. These devices 


are discussed in the following section. 


B. TOKENS AND SMART CARDS 

The major challenges to increasing security in information 
systems have been cost and convenience (Weiss, 1990). What is 
Meeded is €O provide a cost-effective increase in the level of 
security without burdening the user oor the security 
administrator; system users need to maintain the convenience, 
portability, and flexibility of a simple password; and must 
exponentialiy increase system security at the same time. An 
effective way to accomplish these goals is to supplement the 
traditional password with an authentication mechanism (e.g. 
tokens) (Weiss, 1990). 

An example of a token as an authentication mechanism is a 
bank ATM card. It requires a user to insert the card into a 
“card reader" at the ATM terminal--which reads data stored on 
the card's "magnetic tape" and then demands a_e second 
Paemtitfier: the user’*s memorized PIN to verify access. The 
ATM card along with the PIN ensures that the user is 


authenticated properly. (Weiss, 1990) 


DES, 


Any strategy to develop a creative solution should 
emphasize three overriding criteria: greatly increased 
security, end user convenience, and flexibility. This 
Criteria led to thewtollowing goals: 


Any new scheme must be at least several orders of 
magnitude more secure than existing technologies. 


The convenience, portability, and ease of use associated 
with passwords should be maintained. 


No additional equipment should be required at the physical 
ferulmal.. 


If a token were used, it should be as convenient to carry 
as credit card, (hopefully very similar in size). 


A token should strongly resist counterfeiting. 

The computer access token should support added value by: 
being adaptable as an ID badge; provide over-the-phone 
authentication; allow for additional uses such as physical 


access control and encryption key generation. (Weiss, 
1990) 


One solution is to design a credit card-size device Whig 
can electronically "display" a code unique to an individu 
Tf such a card could change its display every 30 onmmee 
seconds--and a synchronized host computer was programmed to 
accept that card's displayed code only while it was being 
displayed, and then but once--then the risk of electronic 
eavesdropping or casual observation evaporates. (Weiss, 1990) 

About 20 vendors currently market such hand held devices, 
each of which contains a microprocessor, battery and Lep 
readout and ranges in price from $30 to $100 per unit. Four 


vendors' product, however, lead the market: Enigma Logic's 
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Mulktisync and Access Card; Racal-Guardata'’s Watchword 
Generator; Digital Pathways’ Securnet Key; and Security 
Dynamics' SecurlID. Token software, which can reside on a 
maintrame, minicomputer or personal computer, is customized 
mor weach Jnstal lation .-and)enus ‘ranges in Cost. (Highland, 
1990; 

Enigma Logic's Multisyne and Access Card, Racal-Guardata's 
Watchword Generator, and Digital Pathways' Securnet Key 
produce devices that are about the size of a smal! calculator 
with a numeric keypad and use a "challenge-response" strategy. 
Tne wiser logs on to his/her terminal using a PIN and the 
computer response with a “challenge'--a single digit or series 
of digits on the terminal screen--which the user keys into the 
token. The handheld device then performs a computation on the 


challenge based on an algorithm assigned specifically to that 


token. When the token displays the results, or "response," 
the user enters it into the terminal's keyboard. Meanwhile, 
the host has performed the same computation. hee “bork 


responses match, the user's identity is verified. (Highland, 
1990) 

security Dynamics’ device is the size of a credit card and 
Operates on a random-number basis. When the system is set up, 
a starting number, or "seed," is assigned to the token and 
recorded on the host. To access the host, the user first 
enters his/her PIN and then the random number generated by the 


device, which changes every 60 seconds. The host verifies the 
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authenticity of the PIN and then refers to its reference table 
to find the seed as well as the date and time that the seed 
was put into the token. Using an algorithm, the computer 
determines what number the token should have displayed and 
compares it with the number entered. (Highland, 1990) 

Even if a device is lost or stolen, other buijgeaae. 
teatures inhibit illegal access. The software for each token 
allows only a certain number of log-on attempts before locking 
out a user. 

Some token sottware also includes an audit trail and 
built-in alarm that alerts the security administrator ops wie 
Operator of illegal access attempts. Some software can be 
customized to provide data on files accessed as well! as 
C<CCUeIGs. hepomecs. 

While tokens have been available for more than a decade, 
early releases were somewhat unreliable. Battery failures and 
other maltunctions wreaked havoc on systems. While recent 
improvements have made these devices more acceptable for 
general use, these devices pose some drawbacks. 

One problem is the tiny keyboards on the challenge- 
response devices. For any one with medium-size fingers, it 1s 
very difficult to push in a number on the half-centimeéeene 
Square numbers without hitting the key next to it, about 4mm 
away. Many people resort to using an implement such as a 


pencil eraser. 
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The problem is not just reduced accuracy. On the 
Cchallenge-response type of token, a user has only a limited 
amount of time to key in the challenge to the device ane 
response tc the host. If the user exceeds the time limit. 
he/she is automatically logged off. If the user misses three 
times, the system locks him/her out. (Highland, 1990) 

While some tcken software can be adjusted to lengthen the 
response limit, too lengthy a duration will compromise 
security. Limiting time is another good method of screening 
an intruder who is inexperienced with the token. 

Battery life is another concern. A typical battery will 
last five years, but the security administrator should always 
Keep a log to anticipate replacements. On units with embedded 
batteries, the entire token must be replaces. 

The more severe problem posed by faulty or worn-out 
batteries is that the user cannot access the system. In other 
cases, a user might forget or misplace the token, or 1t might 
be stolen. In the last case, the security administrator needs 
to deactivate the user's account. 

Because it is inevitable that an employee will at some 
point leave a token in another pocket or purse, the security 
administrator must keep spare tokens available. 

As with passwords, the use of tokens can overlook the fact 
that most computer-related crimes or errors are committed by 
authorized users. Software may someday be available to 


support tokens, adding a third layer to the access control 
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system. They could protect Oighly classified” {1)eouee 

challenging any user attempting access. If tokens are 

assigned only to users who should see these files, tckens 

could be used tc screen Unauthorized access. (Highland fee 
l. Fixed Password Devices 

A “dumb" token, such as a credit card carries a fixed 
password. This is communicated whenever the token is read. 
If the host system reads the token directly (electrically), 
the data can be hidden from the user. The user can not 
memorize it create copies or communicate it to others 7 ana. 
one principai consequence of using an authentication device is 
that users need not be trusted with the authenticating data. 
The key, of which there is one copy, remains in the user's 
hand, where its presence can be observed, rather than in the 
head, where it cannot be checked. (Spender, 1987) 

This is only true if the device 18S secUnpe fon 
interrogation by anything other than its host system. There 
must be no other way of reading the data from the token or 
otherwise copying it. The host can add further security by 


updating the data every time the device is used and creating 


cross-checkéd audit trials in both device and host: In 
general, devices can be made more secure if they have 
additional "smarts" such as read/write memory or a 
microprocessor. Then the token can demand identifying data 


from a user and/or the host before operating correctly. 
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A direct reading token needs a reader, such as a 
foenecic. Sesape  reag@e= Sat, the “users, terminal. An 
alternative is to equip tne device with its own reader, i.e. 
engineer it as a calculator-like password generating device. 
Hinemr Guest lvoned by Cre <noOst;, 4 user si rpucs Ghat vgues-s orm ines 
tne token, which generates an answer which is then passed back 
femeae host. Though if the question is always the same, 2 
user wili be able to record the answering password and use it 
Waenout having the token. (Spender, 1987) 

2. Dynamic Password Devices 

In the past several years, a major development in the 
computer security field has been dynamic password security 
systems. Computer users seeking to verify their authorized 
identities through dynamic password systems do not know the 
value of the password by which they gain entry. They may have 
memorized a portion of a required password but the remainder 
can only be obtained from a hardware password issuing device, 
which displays a different password each time it is used 
(Bosen, 1986; Avarne, 1988). 

Some of these devices derive their dynamic passwords 
by encrypting combinations of the current date and/or time (or 
elapsed time between two successive usages). Others encrypt 
their own prior usage history. Most are capable of encrypting 
random-number challenges issued by security logic within the 


protected computer resources. Some encrypt random flashes of 
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light emanating from the “surface of ~aQNERT drivenmee 
appropriate security software. (Bosen, 1986) 

rf the token has an on-board microprocessor it will be 
able ts process data. The microprocessor can be used tome. 
the authenticating data. One widely adopted method is to use 
the authenticating data as an encryption formula or cryptokey. 
A user can be presented with an unexpected text, such as a 
random number. This is entered on the token's calculator-like 
keyboard and the encrypted text read off its display. The 
encrypted reply to the host's random challenge is passed back 
to the hest which then determines the cryptokey used. In 
this way the hosts knows the token's identity and, by 
implication, which user 1S accessing the system. The host's 
task is simplified if it knows all registered cryptokeys and 
Simply establishes which of these, if any, has been used. 

Provided the token's encryption technology is sound, 
this lock and key interaction keeps the authenticating data 
secret. It is only revealed to the host in the complex 
cryptographic relationship between the challenge and the 
response. Randomizing the challenge prevents a user, or 
anyone else, from responding correctly without actually using 
the correct token. (Bosen, 1986) 

There are alternatives to the challenge/response 
approach. Any piece of changing data shared by both the token 
and the host, such as the clock time of the user/host 


interaction, can be encrypted. This type of token needs a 
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clock synchronized with the host's. The advantage of 
pe aon Zed Token 26 that cue Chal lerge data does not need to 
be entered, it is already known to the token. Since the user 
dces not need to enter the challenge, this approach may seem 
more user-friendly. 

The two mode, Bal) challenge/response and 
Syne tr onlzed, create ad:fferent implementation problems, system 
risks and user benetits. Some of the commercially available 
tokens otfer both modes, others only one. (Spender, 1987) 

Dynamic passwords are entirely unpredictable and so 
Cannot be guessed. They are only used once, so are of no use 
to an attacker, if they are intercepted. (Avarne, 1988) 

Several disadvantages are associated with dynamic 
passwords. First, if the token is lost or stolen it could be 
used by an intruder to access the system. Secondly, the 
expense of outfitting each employee with a token may be cost 
prohibitive (Bosen, 1986; Avarne, 1988). 

3. One-Time Passwords 

Another variation of dynamic passwords are one-time 
passwords. One-time passwords use a credit card-sized device 
which can electronically "display" a code unique to an 
individual. The card is designed to change its display every 
3O or 60 seconds--and a synchronized host computer is 


programmed to accept that card's displayed code only while it 
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is being displayed, and then only once--this eliminates the 
risk of electronic eavesdropping or casual sbservaeuen: 
(Weiss, 1990) 

The use of this card requires what appears to be two 
passwords: one classic and conventional, the PIN; the othewue 
the displayed jcarcd-eoce. 
| They are, oft course, different. They share only 
convenience, portability, and ease of usSe. The second ID 
validator, the changing and unpredictable 4 to 8-charaeege. 
card-code displayed on the card's LCD screen, becomes concrete 
evidence (without a card reader) that the card (token) is at 
that peint and time available to the user. It is a coded 
representation of tne possession of an uncounterfeitable 
token. A user's eyes are the card reader, the existing 
terminal keyboard is the ID entry device, the code entered is 
a password that is not a tradition password. (Weiss, 1990) 

One of the strengths of this password scheme is that 
the codes generated and displayed by the card can't be known 
ahead of time, memorized, loaned, or even guessed by anyone. 
There is no pattern; prior codes become irrelevant. 

A user simply reads the displayed alphanumeric 
characters off of the card, types them in--and now, any PC or 
dumb terminal captures two ID authenticators (Weiss, 1990). 

The one-time password produced by the tiny computer 


within the ID card--can replace the memorized password in 
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identifying the user to an Information System. It can also be 
added as a second authenticator to supplement the first. For 
example, the system at the host demands, Elrst, an assigned, 
cecret and memorized password, and only second, the carda-code 
ween, at that moment, ts being displayed on the LD cards LCD 
screen. Together they form a pass-code. (Weiss, 1990) 

The use of this second independent token-basec 
identifier vastly increases the certainty cf end-user 
authentication. Security managers no longer need to worry so 
about one co-worker learning another's password, the headache 
of password administration 18 greatiy reduced. Outsider and 
hacker-related threats virtually disappear; and internal 
threats--always mcre prevalent and serious are controlled 
because audit trails offer solid accountability. 

The pass-code requires two independent elements-- 
something known--the memorized password; and something 
possessed--the ID card and its displayed card code. A lost 
card becomes useless without its complementing password. 
Similarly, the memorized password is worthless without the 
uncounterfeitable card token to generate the one-time card 
code. (Weiss, 1990) 

The proliferation of networks has created great and 
valid concern about the security of passwords transmitted in 
clear-text. A new technology is available which protests the 
secrecy and integrity of your passwords without the expense 


andr cempl ications of (full “network -enery ption. 
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The great strength of the one-time password generated 
by a hand heid ID card lies in its computational 
unpredictability. The displayed card code 1s, in partyeee 
resul+ of a mathematical process known as a one-way function 
‘with data loss). There is no known way to reverse the 
calculation, or predict or compute a fraudulent card eed 
syen With the cand in Nandweroneseue. Absolutely nothing 
transmitted over the network wili ever allow an intruder to 
later-or sequentially-gain illicit aceéess to a progee eed 
system. 

To give full protection to the memorized password, the 
first or the two independent ID authenticators suggested, 
Security Dynamics has developed a SecurID "P Card" (pin pad). 
Still the size of a credit card, the P card has pressure- 
sensitive keys built into it. A user enters his memorized PIN 
into the card, and the displayed sum of the two separate 
authentication codes can then be transmitted over an open line 
with full assurance that an eavesdropper gains absolutely 
nothing if the resulting PASSCODE is intercepted. (Weiss, 
1990) 

A constant added to a random number produces only a 
random sum. No clear-text password is ever transmitted; nor 
is the user's memorized password ever stored within the card. 
The card does not compare or validate the entered PIN; it 
Simply adds it to the next random number generated by the 


card. (Weiss, 1990) 
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4. Relating Tokens and Users 

The ergonomic issues are important because identity is 
associated with the token, not the user to whom it has been 
mesued. Most corporate employees are getting used to carrying 
een card style photo-ID badges. These may double as 
physical access control devices and control the users' 
movement about a secure plant, operating with direct readers; 
magnetic stripe, bar code, tuned eddy-current proximity 
devices and smart cards. Such established behavior patterns 
make a credit-card type token especially attractive. 

A token can be lent, stolen or otherwise fall into 
another's hand. If it alone establishes identity, that 
identity is readily transferred, as a car key transfers the 
driver's identity as far as the car is concerned. One widely 
adopted method of tying the token logically to its legitimate 
user is to have it smart enough to require a user to enter a 
memorized "wake up" PIN. PINS are familiar to ATM users. 
Very sophisticated authentication devices may also have clocks 
and multiple self-aging PINs, which change regularly. Tokens 
may contain multiple "virtual" identities. (Spender, 1987) 

Disadvantages of using token systems include the 
financial burden of providing each employee with a hand-held 
token, not to mention that workers likely would leave the 
devices in their desk drawers, once again breaching security. 


If a token is stolen, broken or disabled it may require more 


el 


time then is acceptable before a user can be granted access to 
the system (Spender, 1987; Highland, 1990). 

Many of today's tokens are vast improvements over 
earlier models. To consider their use for all everyday 
business operations 18s as foolhardy as using the same 
encryption algorithm for all data. Token are a selective 
tool. Each organization has special files and/or systems that 
require additional protection; tokens are an effective way to 


solve this (Highland, 1990). 


C. BIOMETRICS/PERSONAL CHARACTERISTICS 

Experimental personal recognition systems have been built 
around lip prints, blood-vessel patterns in the retina of the 
eye, voice recognition, signature verification, and 
electroencephalogram traces (Carroll, 1987; Wilson, 1987). 

A person's biometric data tends to be a wholly fixed 
password or a way of giving a user a lifetime password. 
Problems arise if this device is compromised. For example, if 
a user is using a signature verification device and a user's 
signature is forged, there is no way for a user to regain 
access to his or her signature. It is lost as an 
authentication mechanism. 

Biometric characteristics are complex, implying large data 
transfers between user and host. Protecting these data 
between reading device and host is correspondingly more 


di tticwre - The comparisons are automated but statistical, 
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Spening Ene System toe problems with Type I errors (admitting 
mye -woong user) and Type li errors (excluding the right user) . 
The complexity and variability of biometric data also creates 
a new type of problem, a user who cannot produce a 
satisfactory template for the system to compare against. 
Getting computers to recognize people can logically oe 
approached two ways; make computers more like peopie. 
equipping them with biometric readers or make people more ‘:ike 


eomeuters, ecu pes ng them with personal computerized 
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authentication devices. The latter strategy seems less 
expensive, more secure and more readily implemented at the 
present time. (Spender, 1987) 

Because of this vendors of biometric systems have focused 
Wanye neavily Om errors in.reading and recognizing, onthe 
cost/performance ratio of their readers and on miniaturization 
WWoerson, L967). 

Human characteristics, although measurable, do change 
unpredictably. For example, a thumb may be dirty, or have a 
cut on it; a user can be hoarse from speaking, or suffer from 
laryngitis. Perhaps his eyes are red and his hands are shaky 
so neither can be read. Most biometric devices have a 
rejection rate in the 4-6 percent range. In a commercial 
environment, where you're trying to use this device to 
identify customers, that may be unacceptably high. 

Overall, this kind of security, provides a reasonable 


basis tor end-user authentication and the foundation for the 
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future implementation of biometrics in open networks. But the 
cost for biometric devices can be very highewhich is cea 
unacceptable for most applications. (Wilson, 1987) 

Biometric devices which have been successfully applied in 
commercially available products include: 

1. Retina Scanner 

The retina scanner bounces an infrared beam off the 
retinas of a subject's eye and traces the pattern of distinct 
blood vessels. No two individuals have the same pattern, so 
this provides identification as precise as a fingerprint 
(Kanner, 1990; Parks, 1991). 

The capillaries within the eye reflect less infrared 
light than the surrounding tissue. What the scanner measures 
is the intensity of the reflection at 320 points along the 
beam path. A number between O and 4,095 is assigned to each 
point's intensity. 

These numbers are then translated into an 80-byte 
computer code to form an "“eye-signature." The small amount of 
data that his code uses gives the retina scanner an advantage 
over other forms of biometric devices, such as those used for 
voice prints or finger prints. 

By matching the retina pattern code to those stored in 
a database, the system can positively identify a person in 
less than three seconds. Another plus is that, once users 


enroll their eye Signatures, subsequent updates are 
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unnecessary. Retina patterns don't change as people's voices 
and signatures do. 

The U.S. Defense and Energy departments have been the 
largest users of retina scanners for the last seven years. 
Pmimarily, tmey me used aS Stationary physical-access control 
systems to weapons facilities and computer rooms. Corporate 
America is slowly finding use for them among financial data 
Senecers . 

Retina scanners present a tremendous opportunity for 
database security applications. This technology offers the 
highest level of security. If it is compared with card-key 
systems, there isn't anything that can be lost or stolen. 
Users carry their ID with them. Also, if an employee leaves 
the company, the locks do not have to be rekeyed. 

A key criterion that any security device must live up 
to is an extremely low false-acceptance rate. A user does not 
have to identify himself/herself to the system beforehand. A 
retina scanner can determine by itself if a user is enrolled 
in the system. Every other machine needs a PIN, or code, to 
know what template by which to compare a user. 

The technology could be valuable for tracking insider 
computer threats from criminal perpetrators. Retina scanners 
can tell which person has accessed a file at a certain time; 
if damage is done, the perpetrator cannot deny it a week 


later. 


Th 


Retina scanners provide an audit trail and 
accountability that lets the system point out an individual 
who may have done something harmrul to the system (Kanner, 
1990:. Retinal patterns have proven to be very erfecti vem 
detected attempted impersonation (Holmes et al., 1990). [t's 
Like leaving fingerprints at the scene of the crime (Kanner, 
290%). In terms of physical-access control, retina scanners 
are outstanding (Kanner, 1990). 

2. Voice Verification Device 

Advances in speech processing technology now ortenean 
attractive and uncebtrusive supplement to current security 
methceds. The wide distribution of microphones in instaeied 
telephones has stimulated the development of user verification 
devices exploiting the variation in voice quality from pememn 
EOeDerson (Parks .s1990;7,FPenz1as, 3907. 

With a voice lock, a speaker's own voca! chords act as 
the key. By speaking, instead of merely typing, authorized 
users allow the voice lock to confirm their identities by 
matching the attributes of their voices against the speech 
samples stored under their names. (Penzias, 1990) 

Imagine a hacker, trying to gain unauthorized access 
to a computer system via a dial-up telephone line. Until now, 
it has been relatively easy to get a list of phone numbers, 
log-ins and commonly used passwords from wundergroumge 


publications, electronic bulletin boards and similar sources. 
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Bad security habits make the gathering of such 
imtormation a commonplace fact of lite. No matter how hard 
system administrators try to increase security, some users 
will thwart this effort by using easy-to-remember passwords-- 
the electronic equivalent of setting a safe's combination to 
(oe, oO.” 

A hacker begins an assault by dialing the first 
number; then a personai computer's programmed attack plan can 
take over and automatically redial the phone number over and 
Over as it tries each possible character combination. 

But instead of the familiar modem tone, a hacker hears 
a voice message: "You have reached port number 6. Please 
identify yourself by speaking your name." 

Such a response complicates an assault because a 
hacker must read aloud from the list on each try or record all 
candidate names in advance. Furthermore, even if a hacker 
happens to hit upon a valid name (and one whose owner happens 
to have a similar accent, age, and gender), the odds against 
getting through are about 100-to-1l. (Penzias, 1990) 

Even if a hacker has somehow obtained a tape recording 
of a user's spoken name by eavesdropping on an earlier 
session, an assault would then move to the next barrier. 

"Please verify your identity by speaking the words, 
'Good morning America how are you.'" (A randomly selected 


sentence is stored in the system's memory.) 
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Suppose the voice lock contains its own tape recorder. 
The hacker runs the risk of hearing those words played to a 
jury someday. 

These formidable obstacles do not place any additional 
demands upon a legitimate users: he/she must remember his or 
her name and use his or her own vocal tracts. Voice locks 
offer similar security enhancements at the desktop end as 
well. 

On the hardware side, a voice lock calls for the same 
digitai signal processor chip platform employed by other 
speech processing applications. such a platform's open 
architecture would permft users to tailor applications to suit 
their individual needs, or to Duy them from software vendors. 

Imagine a stand-alone PC equipped with a voice board, 
dialer and telephone connection. Potential users could either 
dial the PC or access the system directly in whatever manner 
they normally use. In the dial-up situation, users can get a 
series of voice prompts (when the modem shares a line with the 
user's telephone) or begin with a typed request for a log-in. 

In the latter case, the logged-in user will be asked 
to type the number of whatever telephone happens to be closest 
to the user's terminal. The PC then dials that number, which 
the user must answer and reply to in a voice-verification 
sequence. With the user's identity established, the PC hangs 
up the second line and transfers the original line to what 


used to be a regular dial-in port before the voice lock was 
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aaced=-Using the “normal transfer features of ‘the local 
telephone switch. In addition, that same telephone switch 
would presumably limit direct access to the PC's dial-in port. 

For systems in which the user's terminal must access 
the main system directly from the start, the log-in sequence 
triggers a request to the PC (via a hard-wire connection) for 
speaker verification. In response, the PC dials the phone 
number requested from the user during the log-in procedure and 
proceeds to engage the user in a voice-verification dialogue 
during the telephone conversation. 

Once the speaker's identity has been established, the 
PC sends to the main system an okay which allows the typed 
sequence to proceed. Because the PC is engaged only during 
the verification transaction, a single machine can accommodate 
multiple users one after another. Furthermore, such a PC's 
capacity can be further enhanced by the addition of multiple 
voice boards and diallers, thereby sharing the cost of common 
equipment among users. Also, hardware costs might be reduced 
even further by incorporating the above capabilities within an 
existing system and utilizing whatever components it already 
contains. 

What happens when the voice lock does not recognize a 
legitimate user? A typical system can be expected to reject 
a legitimate user about once in every hundred attempts. That 


makes such false negatives about as common as misdialed seven- 


fas, 


digit telephone numbers. As with telephone dialing (and typed 
passwords), a simple retry usually solves the problem. 

Adding a voice lock must not cause a burdensome 
increase in the number of randomly generated retries. The 
need tc type unfamiliar words introduces a higher probability 
of random errors than does a typical voice lock system. 

Non-random problems are handled the same as with any 
other system. For example, if a user has a sore throat, it is 
no worse than forgetting your password or leaving your token 
at home. In such cases, a user might keep the instructions 
for an emergency access procedure locked ina safe place, or 
get a colleague to vouch for him/her. 

Users whose permanent speech impediments preclude the 
use of spoken passwords could train the system with sequences 
of tones instead, such as ones produced by a telephone 
keyboard. (Penzias, 1990) 

3. Finger-Prints 

Fingerprint devices are based on measuring the 
distance between features in a user fingerprint and storing 
this information in a template of some 400-1000 bytes. Low 
cost products using this method are available from several 
manufacturers, Fingermatrix, Ener; Identix, lielous. and 
Thumbscan, Inc. Their prices range from $2000 to $4000 per 
unit. Another method is to use line patterns on the palm of 


the hand to authenticate a user. (Parks, 1990) 
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The fingerprint devices are small and compatible with 
desk and portable terminals and have found their best 
applications in control of electronic channels (Parks, 1990). 

4. Hand Geometry 

A system based on the silhouette of the hand was the 
first biometric device commercially offered. Several 
manufacturers have resurrected the idea and one system is also 
using the vertical profile of the hand in addition to the 
Siihouette. 

Template sizes vary between 9 and 1000 bytes. Price 
per unit range between $3000 and $5000. (Parks, 1990) 

5. Signature Dynamics 

The use of the written signature is so familiar in 
commercial dealing for authenticating documents and (for 
closing transactions that their use is generally preferred for 
automation of user verification in banking transactions 
(Parks, 1990). 

Signature dynamic devices all use instrumentation 
which measures geometric and/or dynamic properties of the 
action of writing a signature in real time and, therefore, at 
the point and time of the transaction. Different 
instrumentation requires the use of a special stylus connected 
to the unit or allow the user to use any convenient stylus. 

Devices are currently available from IBM Corp., 


Analytical Instruments Ltd., Digital Signatures, Inc., De La 


81 


Rue Systems Ltd., British Technology Group, Communication 
Intelligence Corp., Rolls Royce Business Ventures Ltd., 
T.I.T.N., KXenetek Corp and others. Templates used in 
characterizing signatures range from 40 bytes to 4 kilo-bytes 
according to the method used. Unit prices range from $600- 
$1200. (Parks, [33se) 
6. Typing Rhythms 

The timing between pairs of keystrokes in a 
typewritten stream of characters has been found to vary 
Significantly between typists, even those of modest facility. 
This approach is unique in being potentially both covert and 
continuous, as it can operate on user keystroking in general 
use. (Parks, 1990) 

This method is software based, possibly with a plug-in 


card for PCs and the cost ranges from $500 upwards per 


terminal. Uses are clearly for computing and communications 
system protection. Commercial sources for typing rhythm 
systems include Electronic Signature Lock Corp., and 


International Bioaccess Systems, Inc. (Parks, 1990). 

Several other biometric techniques that are not yet 
available commercially but are in the development stages 
include bloodvessels in the hand, facial images, and iris 


patterns. Other aspects of the human being which have been 
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advanced speculatively as potentially usable for personal 
identification have included gait, ear shape, heart and brain 


waves. (Parks, 1990) 
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VIII. AVAILABLE TOOLS AND PRODUCTS 


This chapter will provide the reader a description Geena: 
encrypted password files operate. It will also describe five 
different commercial access control software packages used on 
IBM operating systems. Other security enhancement software 
packages discussed include password salting and password 


monreors. 


A. PASSWORD ENCRYPTION 

To validate passwords, a system must have a way of 
comparing entries with actual passwords. Rather than trying 
to guess a user's password, an attacker may instead target the 
system password file. 

Encryption of password tables is relied on in many 
instances to preclude unauthorized access to a particular 
password. The encryption process employed often is not very 
sophisticated. For instance, it may involve nothing more than 
modification of each password character by the addition or 
Subtraction of a binary or hexadecimal constant. (Menkus, 
19867) 

A safe way to avoid the compromise of a password file is 
to encrypt the file. Systems have two methods of using 


encryption to protect their password information: two-way 
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encryption and one-way encryption. With two-way encryption, 
the entire password table is encrypted, or perhaps just the 
password column, with a secret key when it is stored. Then 
when a user enters a password to log-in, the password file 
informaticn is decrypted with the secret key, and compared 
with the password that was entered. There is still a slight 
exposure with this method. For an instant a user's password 
is available in plain text in main memory. It is available to 
anyone who could obtain access to all memory. 

A safer approach uses one-way encryption--an encryption 
function for which encryption is relatively easy and 
@Geecryoeion iS relatively “difficult. The password in the 
password table is stored in encrypted form. When a user 
enters a password, it too is encrypted, and the encrypted 
forms are compared. If the two forms are equal, the 
authentication succeeds. 

With one-way encryption the password file can be stored in 
plain view; in fact, the password table for Unix operating 
system can be read by any user, unless special access controls 
have been installed. Backup copies of the password tables are 
also not a problem. (Jobusch and Oldehoeft, 1989) 

One-way encryption process prevents any form of password 
recovery. However, strictly speaking, there is no such thing 
as one-way encryption. Use of the term, typically implies 
that it is impossible to derive material encrypted by such a 


process through known cryptanalytical processes. That is not 


SS 


CoOrmec =. Rather, the encryption process used simply has 
raised the cryptanalysis work factor to a very high level, 
making it unrealistic, in most instances, to attempt to derive 
the password from an attack on the table in which it has been 
stored in encrypted form. (Menkus, 1988) 

Storing a password file in a disguised form relieves much 
of the pressure to secure it. Access may still be limited to 
these processes that have a legitimate need for access. 
However, securing the contents of the table as well as access 
to the table provides a second layer of security. Someone who 
successfully penetrates the outer security layer does not get 
access to useful information. (Kochanski, 1989) 

Because of today's open networks, controls that were 
implemented in the past are no longer adequate. They are 
still necessary but not sufficient. The old network controls 
used point-to-point encryption and the Data Encryeeame 
Standana’ (BES): These are being replaced by end-to-end 
encryption, message authentication, and even new encryption 


algorithms. (Wilson, 1987) 


B. SOFTWARE/COMMERCIAL PRODUCTS 

All access control software packages discussed deal with 
three elements: a user, a resource, and an attempt to access. 
When the user (which could be a person at a terminal, a 
program or a batch job) attempts to access a resource (a 


dataset, a transaction, a CICS region, A VM minidisk, or 
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BoamoSt any Ocner definable entity), te 18 the function of the 
access control software to determine whether the access is 
authorized and should be permitted. (Henderson, 1987) 

The five packages described, CA-ACF2, Omniguard, RACF, CA- 
iepeoecret, and VMNSECURE all run in any iL8M or LBM capable 
environment. 

1. Access Control Software 

a. CA-ACF2 

In a CA-ACF2 controlled system, passwords are used 
for system entry validation. The user's password is stored in 
the CA-ACF2 Logonid database in a one-way encrypted format. 
When a user logs on and enters his/her password, it is 
immediately encrypted and compared to the stored password. If 
they match, access is allowed. An installation can specify 
that passwords meet certain requirements: 


Number of invalid tries in a session before the session 
will be canceled. 


Number of invalid tries ina day before Logonid will be 
suspended. 


Minimum character length of the password. 
- Whether the user is allowed to change the password. 


- The minimum number of days which must pass before a user 
can change the password. 


The maximum number of days which can pass before a user 
much change the password. 


The number of days prior to expiration that CA-ACF2 will 


warn the user that the password must be changed. 
(Henderson, 1988) 


oy 


CA-ACF2 prompts for password entry in display 
inhibited screen areas. In a CA-~ACF2 system, passwords are 
encrypted with a one-way encryption algorithm, using an 
extension to DES. 

If a TSO user does not specify a specific Log=ommar 
in the Job Control Language (JCL), CA-ACF2 provides formance 
automatic inheritance of the Log-on ID of the “fs® use. 
Access decisions in the batch job will be based Upcinwiee 
authority of the submitter. No additional password entry is 
required, nor must the password be retained in the system or 
put in the JCL for these submissions. 

Users may change passwords without jeopardizing 
previously submitted jobs. Any job submitted before a 
password change will be unaffected as CA-ACF2 provides for 
automatic ID inheritance without password revalidation. 

There are techniques available for administrators 
who prefer not to use passwords on JOB cards. An installation 
can specify Logonids and passwords ina batch job with special 
CA-ACF2 control cards in the JCL called //*LOGONID and 
//*PASSWORD. A password submitted in this fashion will be 
suppressed at validation, so that it will never appear ina 
listing. Also, Log-on IDs can be authorized to run without 
the password requirement. This feature provides for ease of 
use in a production environment. 

When an on-line user first enters a new password it 


must be entered twice to confirm that the first entry doesn't 
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have any typos. This ensures the user does not make a typo 
when changing passwords. This is particularly useful. as all 
passwords are entered in non-display fields, and the user 
cannet visually inspect what has been entered. (Henderson, 
eee me 

b. OMNIGUARD 

OMNIGUARD encrypts the users' passwords and then 
uses a hashing algorithm. Encryption ot all passwords is via 
DES. The users' passwords are not made available to anyone, 
not even a top leve! administrator. If the password is hard- 
coded in the scneme, the OMNIGUARD compiler will return the 
output with the password commented out. 

Password controls for OMNIGUARD include: the 
password must not match the iast four passwords, that they be 
at least four characters in length, and that the password 
contains at least three different characters. The length and 
number ot different characters may be changed by the security 
administrator. It is also possible to force a user to sign on 
with two additional passwords that may be up to 256 characters 
each in length. Assignment of passwords can be as rollows: 
user selects his own password, the system administrator 


assigns the password or OMNIGUARD can randomly assign a 
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password. Additional editing criteria applied to a Weers 
password are: 

Cannot be the same as the user ID. 

Maximum and minimum character length can be required. 

No more than three characters can be the same. 

A time expiration for passwords may be set. 

Number of invalid password attempts before a user session 


1s canceled by either deactivating the terminal or user 
identification. (Henderson, 1988) 


OMNIGUARD provides the default values cof three 
unsuccessful attempts in five minutes. [rt this occurstaeene 
system will take the terminal out of service, drop tne =pewe 
or deactivate the user's ID (Henderson, 1988). 

Cc. RACE 

RACF uses the DES algorithm for encrypting 
nasswords when stored on its database. RACF also entorces the 
installation's defined password standards which include: 

Number of consecutive invalid password attempts. 

Password value. 

Frequency with which passwords must be changed. 
- Limitations on re-use of old passwords. 


User-definition of new passwords. (Henderson, 1988) 


There are special controls over passwords that 


include length and character composition. Like the Omniguard 
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software it is possible to force a user to sign on with two 
additional passwords that may be up to 256 characters in 
length. Assignment of passwords can be as follows: user 
selects his own password, the system administrator assigns the 
password or RACF can randomly assign a password. 

Once a user's password is entered into the system. 
RACF insures that the password will not be compromised. 
Because the password is one-way encrypted via DES, no means is 
provided to read a password from auser's profile. With TSO/E 
Release 3, the password is not kept in memory tor TSO. 
Passwords are not displayed on terminals when entered and are 
print suppressed to JES output. 

When jobs are submitted from TSO a user may supply 
a user ID/password on a JOB if desired. If no password is 
supplied, the JOB will automatically run under the user ID of 
the validated user. Once jobs are submitted, a user can 
change his/her password without jeopardizing those previously 
submitted jobs. 

Passwords are not required to verify that a batch 
job properly represents the user it seems to. Validated user 
Pee propagation by JESZ/3 supports entry of batch jobs into the 
system without userid/password parameters. In addition, RACF 
Supports the surrogate user function (via the FACILITY 
resource class). This allows a designated user to submit a 


job on behalf of another user. 
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A common user ID can be used for different systems 
and difterent passwords can be used for each subsystem. er 
the RACF dataset is shared there will be one password. It 
there are separate systems, each with RACF, the user IDs could 
be common but with different passwords. (Henderson, 1988) 

d. CA-TOP SECRET 

CA-TOP SECRET provides extensSlve password Conmacue 
to minimize password compromise or guessing. Once entered 
into the system user passwords are encrypted on the CA-TOP 
SECRET SsecUumre, miele. Special controls for user- selected 
passwords associated with CA-TOP SECRET include: 

A user may not use any of his/her last three passwords. 


A user may not use a password similar to the last password 
used. 


A user may not change a password more than once per day 
(Henderson, 1988). 


The installation may optionally specify the 
fo! lowing -COMmemols : 
The minimum length of a password 


The minimum number of days during which a user will not be 
allowed to change a password after it has been changed 


That the user may not use a password equal to his/her 
access control ID name or pretixed with information found 
in the user's name field 

That only number may be used 


That letters may not be repeated 


That vowels may not be used 
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That the user may not change his/her own password 

That random password generation is required 

That a password mask or pattern of consonants. vowels, and 
numerics must be tollowed when cnanging or randomly 


generating a password 


That 2 password must contain more than one word making it 
More Gltticult <o guess 

That the password may not be pretixed with any entries in 
a CA-supplied restricted password list (this list may be 
modified to reflect installation standards) 


The interval during which warning messages are issued 
betore a password expires. (Henderson, 1988) 


The number of invalid attempts to enter the system 
1S variable trom 1 to 255 occurrences. This feature may also 
be deactivated it desired by the installaticn. Once the 
threshold is reached, the user is suspended and can only be 
reactivated by an authorized administrator. 

There are several options available for deriving 
and Validating access control [Ds (ACID) without requiring JCL 
changes or passwords on job cards. If a user submits a job 
through any racility, including batch, which uses the internal 
reader, CA-TOP SECRET propagates the ACID of the user who 
submits the job to the job card without revealing the password 
in plain text. If the user submits a job to run under another 
user's ACID, CA-TOP SECRET will verify at submit time that the 
Weer has the authority =o do 30. The installation may also 
choose to propagate an ACID that is equal to the job name or 


a portion of the job name. A default ACID may be speciried 
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for each facility. This ACID will be used if an invalwameeny 
or no ACID appears on the job card. The installation can 
additionally choose to derive an ACID from intormation on the 
job card without requiring the coding of a password. The ACID 
can be derived from a Spe€citic portion “of accom 
information, programmer name, user Keyword, job name, or 
reader name allowing special ACIDs to be derived for card 
readers and RJE/NJE readers. (Henderson, 1988) 
e. VMSECURE 

VMSECURE requires the use of a password for log-on 
authentication. With full rule-based access, no passwords are 
required for minidisks. To prevent compromised passwords, 
passwords can be masked sO that users and system 
administrators cannot see their passwords. If opawena! 
password encryption is implemented, the clear text passwords 
cannot be seen even by the system administrator. 

Password controls include reuse limiting (camet 
reuse any of the last 8 passwords), automatic expiration. 
Password encryption, number of consecutive invalid attempts 
allowed to enter the system, and user exit so a site can 
specify additional controls it needs. 

When an on-line user first enters a new password it 
must be entered twice to confirm that the first entry doesn't 
have any typos. This ensures the user does not make a typo 


when changins passwords. This is particularly useful, as all 
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passwords are entered in non-display fields, and the user 
Cannot visually inspect what has been entered. (Henderson, 
1988) 

2. Password Salting 

The Unix operating system incorporates an encrypticn 
derense mechanism called "password salting’. When a user's 
new password is first entered, the password program obtains a 
12-bit random number and appends it to the password. The 
linked string is then encrypted and both the 12-bit random 
number (or salt}, and tne results of the encryption are stored 
in the password file. When a user subsequently logs onto the 
system, the 12-bit number is taken from the password file and 
appended to the typed password. The encrypted result must 
match the encrypted string in the password file. Las 
modification significantly complicates the work of testing a 
given character string, using key search, against a large 
collection cf encrypted passwords. Each password now has 
4,096 possible encrypted versions. (Gish, 1985) 

While the key search method of attack has been slowed 
down by the use of DES and the "salt", this technique still 
works on most Unix systems. Since the password-based 
ciphertext, "salt", and the encryption algorithm are not 
secret, key search techniques are limited only by available 
computer time to do the encryption and dictionaries used to 


provide the guesses. (Jobusch and Oldehoeft, 1989) 
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3. Upass 

The Navy is now testing a new Unix password management 
and control product that will give systems administrators 
better security controls (Schwartz, 1990). 

Unitech Software Inc., produces Upass, a Unix S@¢izame 
package tnat allows a systems security officer to administer 
user account control and maintain a Secure Unix environment 
without being a Unix programmer. The Navy Military Personnel 
Command (NMPC) is testing Upass. (Schwartz, 1990) 

Upass gives a system greater security through password 
GOneEEOG. and automatic reporting procedures that are 
transparent to the end users. 

Using Upass, system administrators can make existing 
log-in procedures secure enough to meet DOD requirements for 
systems that handle classified or sensitive materials. Upass 
stores passwords aS one-way encrypted data, making it 
impossible for anyone to v:i-+w them. Forgotten passwords 
cannot be re-created and user numbers cannot be reassigned, 
other than to the original name. 

Administrators can receive notice of possible attempts 
to penetrate the system in real time. The system can notify 
administrators of repeated unsuccessful attempts to log in or 
attempts to log-in from a port not authorized to a given user 
name. 

Upass also provides administrators with a 


comprehensive security profile fer each user, showing Use 
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name, number and all security options in effect. It allows 
@or password changes and log-in history and current password 
change status. 

The package lets security orficers administer user 
Geeawn. control without having access to rec= . passwords 
eenvare se? 1990). 

4. Password Monitors 

A password monitor 1s a program that grades a user's 
cheice for a password based on how likely it is that the 
password could be guesses. Such programs are usually 
incorporated into the password changing program, so that when 
users try to select a poor password, the system will reject 
fae 

a. The Password Predictor 

"The Password Predictor" is a password monitcr 

program designed to augment the existing password mechanism 
for 4.2 Berkeley Software Distribution (4.38SD) version of 
Unix, by giving the system administrator an automatic 
mechanism to monitor the use of trivial passwords. When the 
program is executed, it carries out a selective key search on 
the password file. The password predictor guesses trivial 
passwords and then leaves a message in the user's area. This 
compromise of the user's password should encourage him/her to 
enter a more complex password since it demonstrates that a 


trivial password is easy to guess. The message tells the 
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user, “Your password is NOT secure”. The program uses several 
lists of guesses that include: 

frequently used words from the system dictionary 

common names and nicknames 


a large sampling of the most frequently spoken and 
written six to eight character English words" 


Strings from the comment field of the system password file 


miscellaneous names, including streets, music groups mame 
Gilcies 


‘personalized guesses’; "trivial passwords a user is known 
+o have used in the past”. (Jobusch and Oldehoeft, 1989) 


Use of the password predictor will heighten 
password security awareness and result in passwords being 
composed from a richer character. set. It does Sner 
inconvenience the user by forcing him/her to choose an obscure 
password; it just demonstrates the importance of having one. 

The 4.3BSD system has a simple password monitor 
that can be avoided. No password guessing program is provided 
with the standard password mechanism software (Carroll etal., 
1988; Jobusch and Oldehoeft, 1989). 

b. Password Coach 

Another example of a commercially available 
password monitor is Password Coach. It is a completely 
transparent unless users choose a weak password. Users 
continue to choose their own passwords, so their passwords 


will continue to be easy to remember. It screens these 
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passwords to make sure that they are not in the dictionary; 


common first names; biographical names; geographical names; 


technical, medical ,or legal terms; keyboard scales (tor 
examrie asdrgnjkl); account names; or other easily guessed 
character strings. It a user chosen password is wear, 


Password Coach provides the user immediate teedback on 
specific reasons why it is weak and then asks the user to 
enter ancther. Users quickly learn how to construct strong 
passwords because the program provides explicit reasons why 
passwords are weak. Password Coach comes with a dictionary of 
over 140,000 American English words. Each word constitutes a 


weak password. Optional dictionaries include several other 


languages. The software also allows organizations to define 
their own forbidden weak passwords. For example, user names, 
Boi, Citie, social security numbers, telephone numbers 


addresses, and other "words" defined as weak. (Wood, 1990) 
Password monitoring programs have the same effect 
on users as password generators. If the monitor programs 
accept only random characters as passwords, users will not be 
able or willing to commit the password to memory, and will 
instead write them down. Allowing these programs to accept 
rememberable passwords, while discarding obvious ones, is the 
key to a successful monitoring program. (Jobusch and 


Oldehoeft, 1989) 
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IX. PASSWORD USE IN THE MILITARY 


Tne military has always taken for granted the oven rae. 
importance of security. They are particularly concerned about 
preventing leakage of information, and have tended to see 
computer security largely in terms of the control of access to 
classified documents (Wilkes, 1990). 

In August 1983, the Department of Defense Computer 
Security Center published CSC-STD-001-83, Departmemeiad 
Detense Trusted Computer System Evaluation Criteria. This 
publication defines and describes feature and assurance 
requirements for six hierarchical classes of enhanced security 
protection for computer systems that are to be used for 
processing classified or other sensitive information. A major 
requirement common to all six classes is accountability. (DoD 
Password Management Guide, 1985) 

The trusted computer system evaluation criteria described 
in the Appendix applies primarily to trusted, commercially 
available automatic data processing systems. They are also 
applicable to the evaluation of existing systems and to 
specification of security requirements for ADP system 
acquisition. Included are two distinct sets of requirements: 
1) specific security feature requirements; and 2) assurance 


requirements. The specific feature requirements encompass the 
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capabilities typically found in information processing systems 
employing general-purpose operating systems that are distinct 
from the applications programs being supported. However, 
Specific security teature requirements may also apply to 
Specitic systems with their own functional requirements 

applications or special environments (e.g., communications 
processors, process control computers, and embedded systems in 
general). The assurance requirements, on the other hand, 
apply to systems that cover the full range of computing 
environments from dedicated controllers to full range 
multilevel secure resource sharing systems. (DoD Trusted 


Computer system Evaluation Criteria, 1985) 


A. MILITARY ENVIRONMENT PASSWORD USAGE 

Passwords are used to prevent people who have physical 
access to an ADP system from gaining access to data belonging 
to another user. Thus, a password should be protected ina 
manner that is consistent with the damage that might be caused 
by its exposure to someone who has the opportunity to use it 
(i.e., has physical access to the ADP system terminals). 
Exposure of a password to someone who is physically prevented 
from attempting to use it is not a threat. 

1. Systems Containing Only Unclassified Information 

Although an ADP system may process only unclassified 

information, it still may require that the data be protected 


from unauthorized use. Although the password is unclassified, 


Por 


the obligation remains chat the user protect this password so 
that only those with a need-to-kKnow can access the data. 
2. Systems Containing Classified Information 

Passwcrds that are used in ADP systems that operate in 
the dedicated or system high security modes should not be 
classified, but should be protected to the same degree as For 
Official Use Only information. In this case, there is no need 
to classify passwords since access to the area in which the 
system resides is restricted to those with a clearance as high 
as the highest classification level of the information 
processed. A person who obtained a password for a system 
running in dedicated or system high security mode but who did 
not pessess the proper security clearance would be unable to 
Gain physicai access to the system and use the password. 

For systems operating in the multilevel security mode, 
passwords may or may not have to be classified. 

When the ability to access classified information is 
based on the physical protection of the terminal rather than 
on the identity of the user (i.e., when all terminals are 
single-level devices), passwords should not be classified, but 
should be protected to the same degree as For Official Use 
Only information. There is no need to classify passwords that 
can only be used on single-level terminals, since physical 
access to single-level terminals is controlled to the level 


associated with the terminal. When the ability to access 
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classified information is based on the user's identity and is 
not restricted by the level or the terminal (i.e., multileve: 
terminalis), each password must be classified to the highest 
ferro InrOrmatvon to Which it provides access. 


When multilevel terminals are used, the 
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determines the user's access authorizations to ciassi 
material based on his identity, and authenticates the identity 
by requiring a password. Thus, the ADP system can protect the 
information it processed only tc the extent that passwords are 
pra tected . For example, a user with Secret clearance can 
access Secret information. Compromise of that user's password 
could result in the compromise of Secret information; 
therefore, the password would be classified Secret. In the 
case of a system with multilevel terminals, disclosure of a 
Top Secret user's password to a Secret user would allow the 
Secret user to login as the Top Secret user and thus gain 
access to Top Secret information. Disclosure of Top Secret 
information to someone with only a Secret clearance can cause 
exceptionally grave damage to the national security. Since 
disclosure of the Top Secret user's password could lead tc 
this, the password must be classified Top Secret. 

Note that classified passwords must not be used on 
terminals that are not authorized for data at the level of the 
password (e.g., a Top Secret password must not be used ona 
Secret terminal). The presence of both single-level and 


multilevel terminals on a system may indicate the need for 
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passwords at each security level. At a minimum, an 
unclassified password should be available for use on terminals 
that are only authorized tor unclassified data. (DcD Password 
Management Guideline, 1985) 

3. Major Features of DoD Guidelines 

Specific areas addressed in the DoD  Passwerd 

Management Guideline include the responsibility of the system 
security officer and of “users, the functionality comers 
authentication mechanism, and password generation. [he emamres 
features recommended in this guideline are: 

Users should de abie to change their own passwords. 


Passwords should be machine-generated rather than user- 
generated. 


Certain audit reports (e.g., date and time of last log-in) 


should be provided by the system directly to the user. 
(DoD Password Management Guide, 1985) 


B. SIMILARITIES WITH PRIVATE SECTOR USE 

Authentication mechanisms are used for the same reasons in 
the military environment as they are in the private sector. 
They are used to protect some type of privileged information 


or data from unauthorized users. 


C. DIFFERENCES WITH PRIVATE SECTOR USE 
While similarities of password use between the military 
and private sector parallel each other the differences are 


many. 
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The military has certain requirements that must be met. 
tf an organication chooses mot to use 
its intormation then 
A Miligtary Organa 2a = 7on 
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X. CONCLUSIONS AND RECOMMENDATIONS 


User authentication is an integral part of any 1S Secure 


mechanism.. While absolute security seems to be unattainable 
(Kochanski, 1989), high degrees of Security are commercraes. 
available. But they can be inappropriate. When evaluating 


various user authentication approaches, auser should consider 
how much security the system really needs. In many cases a 
traditional! password scheme is sufficient. If that does not 
provide adequate security, then a combination of a password 
and one of the alternative authentication mechanisms might 


better suit the organization. 


A. TRADITIONAL PASSWORD MECHANISMS 

While traditional passwords are the most frequently used 
authentication mechanisms (Menkus, 1988), there are many 
problems associated with there use: hard to remember, easy to 
guess. user resistance, written down, low level of security. 

Despite the fact that alternatives to traditional password 
mechanisms exist, it seems that most organizations will stick 
to traditional passwords. This occurs because traditional 
password mechanisms are an integral part of most operating 
systems, are readily available, and are inexpensive to 


install. Thus, careful attention should be given to their 


106 


selection (use a broad character set, force change after a 


Merioa Of tame) and proper use. 


B. ADVANCED PASSWORD MECHANISMS 

If an organization desires to improve its present user 
authentication method while not advancing beyond passwords. 
then an advanced password scheme should be considered. 

While passphrases and question-and-answer mechanisms seem 
to provide for both ease of memorability and difficulty of 
guessing there are still problems with them. Bac imeredui nes 
some type of cuery system be developed for the computing 
system. Also, users may resist having to respond to several 
questions at each Frog =—on attempt. However, user 
authentication by advanced password schemes provide better 
security than traditional password mechanisms. (Smith, 1987: 


ZViran and Haga, 1990bD; Jobusch et al., 1980) 


C. ALTERNATIVE AUTHENTICATION MECHANISMS 

When advancing beyond a password security mechanism, a 
security manager has new options. The sophistication of the 
advanced scheme varies and depends on the leve! of security 
required. Another issue that plays a role in selecting an 
alternative authentication mechanism are the costs associated 


with its implementation. 
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Combining what the user Knows (i.e. a password) with what 
the user possesses (1.e. a token, smart card, biometer device, 


etc.) may provide the ieve: of security required. 


D. RECOMMENDATIONS 

While organizations have many options available in the 
area of access control. user acceptance for any particular 
authentication mechanism is needed. The level of access 
control to implement is strictly determined within a 
DaGpeveuw. an Organization and may be unique to that 


ObG2n1 cation. 
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APPENDIX 


The six Trusted Computer System Evaluation Criteria 
Bivvstons and Classes are: 


Payusion. -D: Minimal. .- ,OLecriOlw — (This ~aivisite> jus 
reserved for those systems that have been evaluated but 
fail to meet all of the requirements for a higher 
evaluation division. 


Dats .OR. C: DIis@reticnary Protection = .C lasses in this 
division provide eo discretionary (need-to-know) 
Brocection and, through the inclusion Of audit 


@apabilitires; «for accountability of .subjects and the 
aecLOns they Initiate. 


Sass eC : Discretionary Security Frotection —— The 
Trusted Computing Base (TCB) of a Cl system nominally 
Satisfies the discretionary access security requirements 
by providing separation of users and data. Le 
incorporates some form of credible controls capable of 
enforcing access limitations on an individual basis, i.e, 
ostensibly suitable for allowing users to be able to 
protect project or private information and to keep other 
users trom accidentally reading or destroying their data. 
The class Cl environment is expected to be one of 
cooperating users processing data at the same level(s) of 
security. 


Class C2: Controlled Aceess Protection — Systems in this 
class enforce a more finely grained discretionary access 
SONtrL Ol ~than Cis systems, « Making™ users,» individually 
accountable for their actions through login procedures, 
auditing of security-relevant events, and resource 
isolation. 
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Divis tones: Mandatory Protection - The notion of eam 
that preserves the integrity of sensitivity Wabelsueand 
uses them to enforce a set of Mandatory access "conenc 
rules 18 a major requirement in this division. Systemomen 
this division must Carry the sensitivity labels wi chem 
data structures in the system. The system developermamgs. 
provides the security policy mode! on Which theme 
based and furnishes a specification of the TCB. Evidenee 
must be provided to demonstrate that the reference morn:itcer 
concept has been implemented. 


Class Bl: Labeled SsSecurivty Protection. — Class Bil 
systems require all the features requires tor a @lasceee 
In addition, an intormal statement of the security pclicy 
modei, data labeling, and mandatory access control over 
named subjects and objects must be present. That 
capability must exist for accurately labeling exported 
Ihteumation: Any flaws identified by testing must be 
removed. 


Class ez. Structured Protection - In class B@ syoveray 
the TCB is based on a clearly defined and documented 
tormal security mode! that requires the discretionary and 
mandatcry access control enforcement found in class Bl 
systems be extended to all subjects and objects in the ADP 


System. In addition, covert channels are addressed. The 
TCB must be carefully structured into protection=cericilea) 
and non-protection-critical elements. The TCB interface 


is well defined and the TCB design and implementation 
enable it to be subjected to more thorough testing and 
more complete review. Authentication mechanisms are 
strengthened, trusted facility management is provided in 
the form of support for system administrator and operator 
functions, and stringent configuration management controls 
are imposed. The system is relatively resistent to 
penetration. 


Class B3: Security Domains - The class B3 TCB must 
Satisfy the reference monitor requirements that it mediate 
all accesses of subjects to objects, be tamper-proof, and 
be small enough to be subject to analysis and tests. To 
this end, the TCB is structured to exclude code not 
essential to security policy enforcement, with significant 
system engineering eine pave the Les design and 
implementation directed toward minimizing its complexity. 
A security administrator is supported, audit mechanisms 
are expanded to signal security-relevant events, and 
system recovery procedures are required. The system 1s 
highly resistent to penetration. 


Bavis Von oA: Verit ved? Protection ~>)inis. division is 
characterized by the use of formal security verification 
methods to assure that the mandatory and discretionary 
Sccunmicy COM hols employed in ene System can elt eceivel, 
protect classified or other sensitive infcrmation stored 
or processed by the system. EXeenS il Ve Gocumen tation is 
reguired to demonstrate that the TCB meets the security 
requirements in all aspects of design, development and 
implementation. 


Class Al: Verified Design - Systems in Al are 
EuUnecteLoOmat lyweguivalene to -“Enose, in-class Bawin cna ne 
additional architectural features or policy requirements 
are added. The distinguishing feature of systems in this 
class is the analysis derived from formal design 
specification and verification techniques and the 
resulting high degree of assurance that the TCB is 
correctly implemented. This assurance is developmental in 
mature, starting with a formal model of the security 
policy and a formal top-level specification (FTLS) of the 
design. In keeping with the extensive design and 
development analysis of the TCB required of systems in 
class Al, more stringent configuration management is 
required and procedures are established for securely 
distributing the systems to sites. A system security 
Samnilnivstraton ~ils “supported.  (lS-security Products. and 
Services Catalogue, 1989) 
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